pam-krb5.so
Brian Candler
B.Candler at pobox.com
Thu Jan 27 02:45:23 EST 2011
On Thu, Jan 27, 2011 at 01:43:55AM -0500, Tom Parker wrote:
> I am wondering if the account
>
> account required pam_krb5.so minimum_uid=1000
>
> line is required at all in common-account if I am using LDAP for
> access control. it seems to be doing nothing on my systems and my
> login behaviour does not change if this line is commented out.
What do you mean by "LDAP for access control" - are you validating passwords
using an LDAP bind (pam_ldap)? Or are you using LDAP for authorization
(nss_ldap)? Or both?
As I understand it, pam_krb5 is basically a password checker; it uses the
password you supply to acquire a Kerberos ticket, and as a side-effect lets
you login if it was able to acquire one. That's the "auth" functionality
anyway. The "account" functionality is a bit more subtle. According to the
manpage: http://linux.die.net/man/8/pam_krb5
"If the module did participate in authenticating the user, it will check for
an expired user password and verify the user's authorization using the
.k5login file of the user being authenticated, which is expected to be
accessible to the module."
That's something you're unlikely to use often, since in a regular login the
authentication identity and authorization identity are the same.
Regards,
Brian.
More information about the Kerberos
mailing list