[33154] in Kerberos
Re: pam-krb5.so
daemon@ATHENA.MIT.EDU (Brian Candler)
Thu Jan 27 04:35:24 2011
Date: Thu, 27 Jan 2011 07:45:23 +0000
From: Brian Candler <B.Candler@pobox.com>
To: Tom Parker <tparker@cbnco.com>
Message-ID: <20110127074523.GA7431@talktalkplc.com>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <4D41142B.2010803@cbnco.com>
Cc: "kerberos@mit.edu" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On Thu, Jan 27, 2011 at 01:43:55AM -0500, Tom Parker wrote:
> I am wondering if the account
>
> account required pam_krb5.so minimum_uid=1000
>
> line is required at all in common-account if I am using LDAP for
> access control. it seems to be doing nothing on my systems and my
> login behaviour does not change if this line is commented out.
What do you mean by "LDAP for access control" - are you validating passwords
using an LDAP bind (pam_ldap)? Or are you using LDAP for authorization
(nss_ldap)? Or both?
As I understand it, pam_krb5 is basically a password checker; it uses the
password you supply to acquire a Kerberos ticket, and as a side-effect lets
you login if it was able to acquire one. That's the "auth" functionality
anyway. The "account" functionality is a bit more subtle. According to the
manpage: http://linux.die.net/man/8/pam_krb5
"If the module did participate in authenticating the user, it will check for
an expired user password and verify the user's authorization using the
.k5login file of the user being authenticated, which is expected to be
accessible to the module."
That's something you're unlikely to use often, since in a regular login the
authentication identity and authorization identity are the same.
Regards,
Brian.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
