Tom Parker <[email protected]> writes: > I am wondering if the account
> account required pam_krb5.so minimum_uid=1000 > line is required at all in common-account if I am using LDAP for access > control. it seems to be doing nothing on my systems and my login > behaviour does not change if this line is commented out. All the checks that the pam_krb5 module does during the account group it also does during the auth group, so indeed this check doesn't really do much exciting for you (although it also doesn't hurt). Note: this statement only applies when using the default options. If you set defer_pwchange, you have to have an account group configured or you'll have some security holes. > What checks are being performed here that are needed? > auth sufficient pam_krb5.so minimum_uid=1000 This is what's authenticating your users, assuming you're using Kerberos passwords. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
