On Mon, 2009-11-09 at 09:41 -0500, Brian J. Murrell wrote: > On Mon, 2009-11-09 at 08:59 -0500, Simo Sorce wrote: > > > > If someone opens a bug for that, yes :-) > > Done. https://fedorahosted.org/sssd/ticket/266 > > > However keep in mind that I don't care much for what pam_unix does in > > any pam target, > > That's fair enough, but you have to respect what other pam modules are > trying to do and provide the information they want in adherence to the > rules of the information source. Simply saying "well, in our context, > what pam_xxxx is doing is stupid" is not playing well within the > ecosystem in which you are playing.
I'm not saying it is stupid, just that we do not care "too much" :) > > you can always make it so that an error from pam_unix > > (using sufficient instead of required) is ignored if pam_sss succeed. > > Yes, I could, but then I am fiddling with the framework (which on my > distro, prescribes that pam_unix's account personality is a required) > which pam_sss is trying to fit into and having to do that fiddling on > every machine I touch. The whole point of using a centralized > authentication and information provider is to minimize the per-host > fiddling. I agree, that's why I want to add the option, so that each distribution can set the best default for their configuration needs. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel