Red Hat Bugzilla – Bug 52358
pam_krb5 needs -minuid option
Last modified: 2007-04-18 12:36:15 EDT
In short: need a way to set a "minimum UID" below which accounts are not
ever kerberos authenticated.
Longer: in large-scale but only loosely centralized environments (i.e.
universities), it's important to have a convention where user accounts with
UIDs below a certain number are never checked against kerberos. This makes
it easy to set up local accounts with arbitrary names without causing
chaos. For example, my official centralized kerberos account is "mattdm",
but perhaps on some machine I want it to be "matthew" -- even though there
is already a different person with the "official" matthew account. With the
system mentioned above, it's no problem, as long as I set a local password
and have a UID less than the limit.
Chris Wing's pam_kafs
exactly this, but just for kerberos 4. Your kerberos 5 module is very nice,
and it'd be great to have this option.
Additional info -- pam_localuser is no help, since not everyone with a central
account should have access to all machines. In some cases, accounts might be in
NIS or LDAP, but usually, a local account is created and just the password is
networked. I've looked for a pam_uidrange or somesuch, but with no luck.
Should be present in 1.44, coming soon to a Raw Hide near you. Please reopen
this bug if you find that "minimum_uid=somenumber", either on the command-line
in the PAM configuration file, or in /etc/krb5.conf, doesn't do the right thing.
Awesome; I'm impressed. Thanks much for the quick response. I'll check it out
either tomorrow or Sunday.
Actually, I played with it a bit just now, and it seems to work exactly as
advertised. Thanks again!
Y'know, this option doesn't seem to have made it into the documentation ever...