Bug 217944
Summary: | /etc/pam.d/system-auth-ac has wrong logic for kerberos | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Tomasz Kepczynski <tomek> |
Component: | authconfig | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED NOTABUG | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | ||
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | x86_64 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2006-11-30 21:23:09 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Tomasz Kepczynski
2006-11-30 20:58:49 UTC
No, what you are trying to achieve is simply not possible. Or it is possible but it has its own set of problems. Authconfig as a tool can choose only one of many possible pam configurations and it is up to you to modify it if it doesn't suit your needs. What I mean is that the config generated by authconfig is perfectly OK when you either don't have users authenticated by kerberos in the /etc/passwd at all but they are in LDAP or NIS. Or they have a passwd entry but without a password set there (or in /etc/shadow). Or you can have a different password in /etc/shadow and in the kerberos and use the kerberos password normally and the /etc/shadow one only when the kerberos server is unavailable. Switching the order of the authentication modules would be possible but it would have other problems like very long timeouts on authentication when disconnected from network. |