Russ Allbery rra at
Thu Jan 27 01:53:49 EST 2011

Tom Parker <tparker at> writes:

> I am wondering if the account

>      account  required minimum_uid=1000

> line is required at all in common-account if I am using LDAP for access
> control.  it seems to be doing nothing on my systems and my login
> behaviour does not change if this line is commented out.

All the checks that the pam_krb5 module does during the account group it
also does during the auth group, so indeed this check doesn't really do
much exciting for you (although it also doesn't hurt).  Note: this
statement only applies when using the default options.  If you set
defer_pwchange, you have to have an account group configured or you'll
have some security holes.

> What checks are being performed here that are needed?

>      auth  sufficient minimum_uid=1000

This is what's authenticating your users, assuming you're using Kerberos

Russ Allbery (rra at             <>

More information about the Kerberos mailing list