In short: need a way to set a "minimum UID" below which accounts are not ever kerberos authenticated. Longer: in large-scale but only loosely centralized environments (i.e. universities), it's important to have a convention where user accounts with UIDs below a certain number are never checked against kerberos. This makes it easy to set up local accounts with arbitrary names without causing chaos. For example, my official centralized kerberos account is "mattdm", but perhaps on some machine I want it to be "matthew" -- even though there is already a different person with the "official" matthew account. With the system mentioned above, it's no problem, as long as I set a local password and have a UID less than the limit. Chris Wing's pam_kafs <http://www-personal.engin.umich.edu/~wingc/pam_kafs.html> implements exactly this, but just for kerberos 4. Your kerberos 5 module is very nice, and it'd be great to have this option.
Additional info -- pam_localuser is no help, since not everyone with a central account should have access to all machines. In some cases, accounts might be in NIS or LDAP, but usually, a local account is created and just the password is networked. I've looked for a pam_uidrange or somesuch, but with no luck.
Should be present in 1.44, coming soon to a Raw Hide near you. Please reopen this bug if you find that "minimum_uid=somenumber", either on the command-line in the PAM configuration file, or in /etc/krb5.conf, doesn't do the right thing.
Awesome; I'm impressed. Thanks much for the quick response. I'll check it out either tomorrow or Sunday.
Actually, I played with it a bit just now, and it seems to work exactly as advertised. Thanks again!
Cool beans.
Y'know, this option doesn't seem to have made it into the documentation ever...