pam_krb5 3.9 bug in account management ?
Russ Allbery
rra at stanford.edu
Sat Jan 19 15:19:48 EST 2008
Resending this to the list.
"Markus Moeller" <huaraz at moeller.plus.com> writes:
> I think in api-account.c in line 60 the PAM_SUCCESS should be changed to
> PAM_IGNORE, otherwise if you stack pam modules like:
>
> other account sufficient pam_krb5
> other account required pam_unix
>
> and check for a local non Kerberos user the account management by pam_unix
> (password expiry, etc..) will be ignored.
I would agree with you except PAM_IGNORE is not a permissible return code
for a PAM module according to the Linux PAM standard, which is as close to
a standard as we have.
Normally, you don't need to do the above. Other things don't work if the
user doesn't have a basic existence in the nsswitch setup for the system,
at which point pam_unix's account module will succeed.
--
Russ Allbery (rra at stanford.edu) <http://www.eyrie.org/~eagle/>
More information about the Kerberos
mailing list