On Thu, Jan 27, 2011 at 01:43:55AM -0500, Tom Parker wrote: > I am wondering if the account > > account required pam_krb5.so minimum_uid=1000 > > line is required at all in common-account if I am using LDAP for > access control. it seems to be doing nothing on my systems and my > login behaviour does not change if this line is commented out.
What do you mean by "LDAP for access control" - are you validating passwords using an LDAP bind (pam_ldap)? Or are you using LDAP for authorization (nss_ldap)? Or both? As I understand it, pam_krb5 is basically a password checker; it uses the password you supply to acquire a Kerberos ticket, and as a side-effect lets you login if it was able to acquire one. That's the "auth" functionality anyway. The "account" functionality is a bit more subtle. According to the manpage: http://linux.die.net/man/8/pam_krb5 "If the module did participate in authenticating the user, it will check for an expired user password and verify the user's authorization using the .k5login file of the user being authenticated, which is expected to be accessible to the module." That's something you're unlikely to use often, since in a regular login the authentication identity and authorization identity are the same. Regards, Brian. ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
