http://bugzilla.novell.com/show_bug.cgi?id=545724 http://bugzilla.novell.com/show_bug.cgi?id=545724#c7 Jiri Bohac <jbohac@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|INVALID | --- Comment #7 from Jiri Bohac <jbohac@novell.com> 2009-12-03 13:41:29 UTC --- So, If I understand it correctly: You are trying to make sure that pam_krb5 is called during authentication. We need local-only users (e.g. root) to be able to log in But if the user is in both the local (or NIS or whatever processed with pam_unix), we want pam_krb5 to be called to create the ticket. And to do this you: 1) devise a hackish policy that mandates the passwords in the local (processed with pam_unix) database to be invalid so that pam_unix in the common-auth stack fails and pam_krb5 is called 2) to maintain the invalid passwords in the local database you put a hack in common-passwd to prevent pam_unix from setting the passwords. You do this based on the uid, which is a really weak indication of what database the user password should be maintained in. Come on, I hope I must have misunderstood something! This obviously needs to be solved in the common-auth stack. If the capabilities of the existing pam modules are not sufficient (harldly the case), they need to be extended. I am sure most will agree that this two-layer hack is not the right way to solve the original problem of making sure pam_krb5 is called for authentication. -- Configure bugmail: http://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.