Steve Langasek <[email protected]> writes: > But it would also be reasonable to set this default via appdefaults in > /etc/krb5.conf, which I didn't know was possible - if that were done > in the default krb5.conf, then we could drop the module option from > /usr/share/pam/configs/krb5. So I'll mark this bug as invalid for > pam-krb5, and open a task on kerberos-configs.
In practice, krb5.conf files usually aren't a useful place to set distribution options. A lot of sites that use Kerberos (such as Stanford) distribute a global krb5.conf file for the whole site and encourage all users to just install it. One has to assume that in most cases krb5.conf is going to get overridden by the user. (This is one of the reasons why it's not a conffile in kerberos-configs and instead is only created once and then very selectively modified, so note that no changes will be picked up by existing systems, only by new installations.) I'm not sure there's any reason *not* to set the option in krb5.conf, other than maybe a minor slippery slope argument that setting application options in the distribution default krb5.conf isn't going to scale well since we don't have an include mechanism for fragments. But it may or may not really fix the problem of preventing Kerberos getting in the way of local logins as thoroughly as using a PAM option. The reason why that option is recommended is because if there's something wrong with the network that causes pam-krb5 to hang for long periods, login can time out and leave you in a situation where you can't log in as root. Maybe it would make sense to leave minimum_uid for /etc/krb5.conf but set ignore_root in the profile to eliminate the worst of the problem of not having minimum_uid set. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? https://bugs.launchpad.net/bugs/369575 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to kerberos-configs in ubuntu. -- Ubuntu-server-bugs mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
