Resending this to the list. "Markus Moeller" <[EMAIL PROTECTED]> writes:
> I think in api-account.c in line 60 the PAM_SUCCESS should be changed to > PAM_IGNORE, otherwise if you stack pam modules like: > > other account sufficient pam_krb5 > other account required pam_unix > > and check for a local non Kerberos user the account management by pam_unix > (password expiry, etc..) will be ignored. I would agree with you except PAM_IGNORE is not a permissible return code for a PAM module according to the Linux PAM standard, which is as close to a standard as we have. Normally, you don't need to do the above. Other things don't work if the user doesn't have a basic existence in the nsswitch setup for the system, at which point pam_unix's account module will succeed. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
