From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 Description of problem: # grep pam_krb /etc/pam.d/system-auth auth sufficient /lib/security/pam_krb5.so minimum_uid=15 use_first_pass password required /lib/security/pam_krb5.so use_authtok minimum_uid=15 session sufficient /lib/security/pam_krb5.so minimum_uid=15 Then when I try to login via ssh as root: pam_krb5: authenticate error: Clients credentials have been revoked (-1765328366) pam_krb5: authentication fails for `root' Failed password for root from x.x.x.x port 48196 ssh2 If minimum_uid doesn't try the UID, then how does it know the credentials have been revoked? I have disabled all 'standard' accounts like root Version-Release number of selected component (if applicable): pam_krb5-1.55-1 How reproducible: Always Steps to Reproduce: 1.set the minimum_uid and try to login 2. 3. Expected Results: pam_krb5 ignores that user and drops to next module Additional info:
I also have reproduced this problem. It allows logins for default accounts like rpm if someone with AD rights feels like creating one.
Nevermind. I figured out that it belongs in [appdefaults] / pam = in /etc/krb5.conf and seems to work fine there. Shouldn't it be a RedHat default? And shouldn't it be 100 and not 15? The rpm user is wide open at uid 37.