Steve Langasek <[email protected]> writes: > For comparison, here's the /usr/share/pam-configs/krb5 I've been using > locally for testing:
> Account-Type: Primary > Account: > [success=end new_authtok_reqd=done default=ignore] pam_krb5.so What does end do? It's not documented in the PAM manual. Is that equivalent to done? I believe "done" would bypass all local account expiration checks, meaning that if an account were locally locked, they would still be able to log on via Kerberos, which is something the recommended configuration is careful not to do. > Bryan, does this config look like it's compatible with your setup? > Could you test that it works in your environment, in which case I'll > upload it to jaunty? Is this something that should also be included in the Debian package? > BTW, I've never needed to use the pam_krb5 session module. As far as > I'm aware, that only exists as a workaround for services that don't call > pam_setcred() as expected. Do you know of specific cases where this is > needed in your environment? Is there any reason *not* to run it? As upstream maintainer, I would certainly recommend adding pam_krb5 to the session configuration. Under most circumstances, it's a no-op, but the module recognizes when it is, and there are applications that don't call setcred. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- no kerberos support for pam-auth-update? https://bugs.launchpad.net/bugs/275169 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
