Brian Candler B.Candler at
Thu Jan 27 02:45:23 EST 2011

On Thu, Jan 27, 2011 at 01:43:55AM -0500, Tom Parker wrote:
> I am wondering if the account
>     account  required minimum_uid=1000
> line is required at all in common-account if I am using LDAP for
> access control.  it seems to be doing nothing on my systems and my
> login behaviour does not change if this line is commented out.

What do you mean by "LDAP for access control" - are you validating passwords
using an LDAP bind (pam_ldap)?  Or are you using LDAP for authorization
(nss_ldap)?  Or both?

As I understand it, pam_krb5 is basically a password checker; it uses the
password you supply to acquire a Kerberos ticket, and as a side-effect lets
you login if it was able to acquire one.  That's the "auth" functionality
anyway.  The "account" functionality is a bit more subtle.  According to the

"If the module did participate in authenticating the user, it will check for
an expired user password and verify the user's authorization using the
.k5login file of the user being authenticated, which is expected to be
accessible to the module."

That's something you're unlikely to use often, since in a regular login the
authentication identity and authorization identity are the same.



More information about the Kerberos mailing list