http://bugzilla.novell.com/show_bug.cgi?id=545724
http://bugzilla.novell.com/show_bug.cgi?id=545724#c7
Jiri Bohac changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Resolution|INVALID |
--- Comment #7 from Jiri Bohac 2009-12-03 13:41:29 UTC ---
So, If I understand it correctly:
You are trying to make sure that pam_krb5 is called during authentication. We
need local-only users (e.g. root) to be able to log in
But if the user is in both the local (or NIS or whatever processed with
pam_unix), we want pam_krb5 to be called to create the ticket.
And to do this you:
1) devise a hackish policy that mandates the passwords in the local (processed
with pam_unix) database to be invalid so that pam_unix in the common-auth stack
fails and pam_krb5 is called
2) to maintain the invalid passwords in the local database you put a hack in
common-passwd to prevent pam_unix from setting the passwords. You do this based
on the uid, which is a really weak indication of what database the user
password should be maintained in.
Come on, I hope I must have misunderstood something!
This obviously needs to be solved in the common-auth stack. If the capabilities
of the existing pam modules are not sufficient (harldly the case), they need to
be extended.
I am sure most will agree that this two-layer hack is not the right way to
solve the original problem of making sure pam_krb5 is called for
authentication.
--
Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.