Bug 52358 - pam_krb5 needs -minuid option
Summary: pam_krb5 needs -minuid option
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: pam_krb5   
(Show other bugs)
Version: 7.1
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Aaron Brown
Depends On:
TreeView+ depends on / blocked
Reported: 2001-08-23 02:17 UTC by Matthew Miller
Modified: 2007-04-18 16:36 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2001-08-25 00:30:49 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Matthew Miller 2001-08-23 02:17:14 UTC
In short: need a way to set a "minimum UID" below which accounts are not
ever kerberos authenticated.

Longer: in large-scale but only loosely centralized environments (i.e.
universities), it's important to have a convention where user accounts with
UIDs below a certain number are never checked against kerberos. This makes
it easy to set up local accounts with arbitrary names without causing
chaos. For example, my official centralized kerberos account is "mattdm",
but perhaps on some machine I want it to be "matthew" -- even though there
is already a different person with the "official" matthew account. With the
system mentioned above, it's no problem, as long as I set a local password
and have a UID less than the limit.

Chris Wing's pam_kafs
<http://www-personal.engin.umich.edu/~wingc/pam_kafs.html> implements
exactly this, but just for kerberos 4. Your kerberos 5 module is very nice,
and it'd be great to have this option.

Comment 1 Matthew Miller 2001-08-23 02:32:30 UTC
Additional info -- pam_localuser is no help, since not everyone with a central
account should have access to all machines. In some cases, accounts might be in
NIS or LDAP, but usually, a local account is created and just the password is
networked. I've looked for a pam_uidrange or somesuch, but with no luck.

Comment 2 Nalin Dahyabhai 2001-08-24 23:38:10 UTC
Should be present in 1.44, coming soon to a Raw Hide near you.  Please reopen
this bug if you find that "minimum_uid=somenumber", either on the command-line
in the PAM configuration file, or in /etc/krb5.conf, doesn't do the right thing.

Comment 3 Matthew Miller 2001-08-25 00:16:24 UTC
Awesome; I'm impressed. Thanks much for the quick response. I'll check it out
either tomorrow or Sunday.

Comment 4 Matthew Miller 2001-08-25 00:30:44 UTC
Actually, I played with it a bit just now, and it seems to work exactly as
advertised. Thanks again!

Comment 5 Nalin Dahyabhai 2001-08-30 21:44:24 UTC
Cool beans.

Comment 6 Matthew Miller 2003-02-20 19:57:55 UTC
Y'know, this option doesn't seem to have made it into the documentation ever...

Note You need to log in before you can comment on or make changes to this bug.