> I don't think Heimdal supports including krb5.conf snippets, which means we can't use the include functionality in kerberos-configs.
And even if it did, it would still be awkward (you have to add the #include at any rate). It needs to be a standard expectation these days that configs in /etc support a foobaz.d directory convention, so all you have to do is drop in a file. > I don't think it's acceptable from a security standpoint for minimum_uid to be turned off by an upgrade without an affirmative response from the user (not any sort of default), and we can't use any sort of krb5-config dependency to ensure that a Kerberos configuration fragment is available (even if Heimdal supports it) because krb5-config intentionally doesn't mess with a user-supplied krb5.conf file. Would it work to convert the PAM profile into a config file, and treat an existing file with minimum_uid=1000 as user-modified? I'd argue that this file should be marked as config on its own merits. One other thing I want to do, in fact, is bump down the Priority: so that Kerberos auth is checked after Unix auth. I'd sure want to see the config merge question come up if an update messes with that. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/369575 Title: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
