© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
demo site
(Get the code!)
> I don't think Heimdal supports including krb5.conf snippets, which means we can't use the include functionality in kerberos-configs.
And even if it did, it would still be awkward (you have to add the #include at any rate). It needs to be a standard expectation these days that configs in /etc support a foobaz.d directory convention, so all you have to do is drop in a file.
> I don't think it's acceptable from a security standpoint for minimum_uid to be turned off by an upgrade without an affirmative response from the user (not any sort of default), and we can't use any sort of krb5-config dependency to ensure that a Kerberos configuration fragment is available (even if Heimdal supports it) because krb5-config intentionally doesn't mess with a user-supplied krb5.conf file.
Would it work to convert the PAM profile into a config file, and treat an existing file with minimum_uid=1000 as user-modified?
I'd argue that this file should be marked as config on its own merits. One other thing I want to do, in fact, is bump down the Priority: so that Kerberos auth is checked after Unix auth. I'd sure want to see the config merge question come up if an update messes with that.