http://bugzilla.novell.com/show_bug.cgi?id=545724
http://bugzilla.novell.com/show_bug.cgi?id=545724#c6
--- Comment #6 from Michael Calmer 2009-12-03 11:49:10 UTC ---
Thinks about what happens if you want to use kerberos together with nis.
You need pam_unix2 for system user like root. You need NIS to have uidnumber,
gidnumber, shell, etc. pam_unix2 can authenticate nis user and can do password
change for nis user.
Let's say you have set the NIS password to "*" and authenticate.
pam_unix2 would ask for the password and check it against the NIS password.
=> no match
Next module is pam_krb5. There you have a match and you are logged-in.
Now you want to change the password.
pam_unix2 is asking for the old password and check it.
=> no match
Next module is pam_krb5. There is a match and you get the password change
ticket.
The password workflow execute the stack twice, the second run update the
password.
So the second run started. pam_unix2 is called again. A new password is entered
and pam_unix2 change it "IN NIS".
Now you login again.
pam_unix2 is called first and check the password
=> match, you are logged-in and wonder, why you do not have a ticket.
This is the reason why I skip pam_unix2 completely for uid > 999 if kerberos is
used.
Yes, I am sure, that there are 1000 other possible configurations which take
care of all such situations. I selected this one :-)
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.