using libpam_krb5 with automatic configuration through pam-auth-update,
I am unable to change passwords (both locally and via kerberos); I
reported this as a separate bug:
https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/334795
--
no kerberos support for pam-auth-update?
On Fri, Jan 09, 2009 at 08:12:06PM -, Russ Allbery wrote:
Okay, that makes sense, although that raises an additional question:
wouldn't preferences be considered local configuration, and hence should
only be removed on purge? (This would be future work for pam-auth-update,
of course, not
On Fri, Jan 09, 2009 at 05:06:41AM -, Russ Allbery wrote:
The only question I had, and this is just another iteration of the typical
how do maintainer scripts get called in errors? question, is that the
prerm is limited to only the remove case. Wouldn't you also want to
remove the
Steve Langasek steve.langa...@canonical.com writes:
It would certainly be wrong for libpam-modules to call pam-auth-update
--remove on deconfigure. OTOH, so far I've assumed that as a dependency
of (Essential: yes) login, libpam-modules will never be removed, so I
don't call pam-auth-update
On Wed, Jan 07, 2009 at 09:55:44PM -, Russ Allbery wrote:
However, then we run into trouble if pam_krb5 is the /last/ module in the
stack (i.e., the admin has chosen to disable pam_unix completely), because
the next line after this will then be:
account requisite
Steve Langasek steve.langa...@canonical.com writes:
Well, if people fiddle with it by hand they're going to have annoying
debconf prompts on upgrades, too. My goal is certainly to get this
working well enough that they have no cause to fiddle.
The pam_deny is useful because it simplifies
This bug was fixed in the package libpam-krb5 - 3.11-3ubuntu1
---
libpam-krb5 (3.11-3ubuntu1) jaunty; urgency=low
* debian/libpam-krb5.{pam-auth-update,install,postinst,prerm},
debian/rules, debian/dirs: enable pam_krb5 by default using the new
pam-auth-update support.
Steve Langasek steve.langa...@canonical.com writes:
Ok, I'm confident enough in the correctness of the incremental changes
that I'm going to go ahead with uploading this to jaunty.
Russ, the debdiff against 3.11-3 is attached; let me know if there's a
different way you'd like to receive this
For comparison, here's the /usr/share/pam-configs/krb5 I've been using
locally for testing:
Name: Kerberos authentication
Default: yes
Priority: 704
Auth-Type: Primary
Auth:
[success=end default=ignore]pam_krb5.so minimum_uid=1000
try_first_pass
Auth-Initial:
[success=end
On Wed, 2009-01-07 at 08:13 +, Steve Langasek wrote:
For comparison, here's the /usr/share/pam-configs/krb5 I've been using
locally for testing:
Looks fairly similar. There seems to be a difference of section and
section-Final between our two. I'm not sure how significant that is
though.
On Wed, Jan 07, 2009 at 02:11:55PM -, Brian J. Murrell wrote:
Looks fairly similar. There seems to be a difference of section and
section-Final between our two. I'm not sure how significant that is
though.
It's a backwards-compatible syntax change; along the way I realized that
-Final
Steve Langasek steve.langa...@canonical.com writes:
For comparison, here's the /usr/share/pam-configs/krb5 I've been using
locally for testing:
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done default=ignore] pam_krb5.so
What does end do? It's not documented in
On Wed, Jan 07, 2009 at 06:38:24PM -, Russ Allbery wrote:
Steve Langasek steve.langa...@canonical.com writes:
For comparison, here's the /usr/share/pam-configs/krb5 I've been using
locally for testing:
Account-Type: Primary
Account:
[success=end new_authtok_reqd=done
Steve Langasek steve.langa...@canonical.com writes:
This is not a PAM token, but a token that's rewritten by pam-auth-update
when generating /etc/pam.d/common-* from these files.
https://wiki.ubuntu.com/PAMConfigFrameworkSpec
end means jump to the end of this group of modules - it's
On Mon, Jan 5, 2009 at 1:56 PM, Philip Lowman phi...@yhbt.com wrote:
Is there any update for this? From my point of view pam-auth-update
seems to be a step backwards from auth-client-config so long as there is
no built-in support for configuring kerberos. I guess it's back to
configuring
Steve,
The krb5 configuration file you uploaded works fine in our environment
as well. Thank you for sharing it. Also thank you for including
minimum_uid=1000. I based our common-auth off of some documentation I
found online that didn't mention this very useful option (or ignore_root
for that
Is there any update for this? From my point of view pam-auth-update
seems to be a step backwards from auth-client-config so long as there is
no built-in support for configuring kerberos. I guess it's back to
configuring /etc/pam.d manually?
--
no kerberos support for pam-auth-update?
Or you could just put your own config for krb5 in place such as I did:
$ cat /usr/share/pam-configs/krb5
Name: Kerberos Authentication
Default: yes
Priority: 300
Auth-Type: Primary
Auth-Initial:
[success=end default=ignore]pam_krb5.so
Auth-Final:
[success=end default=ignore]
On Mon, Jan 5, 2009 at 1:56 PM, Philip Lowman phi...@yhbt.com wrote:
Is there any update for this? From my point of view pam-auth-update
seems to be a step backwards from auth-client-config so long as there is
no built-in support for configuring kerberos. I guess it's back to
configuring
19 matches
Mail list logo