Raoul Borenius <[EMAIL PROTECTED]> writes: > Package: libpam-krb5 > Version: 2.6-1 > Severity: normal > > Removing my guest-user from /etc/shadow and > making all the pam-changes as stated in > /usr/share/doc/libpam-krb5/README.Debian > gives me:
Yeah, if you remove the user from shadow completely, you don't want to run the pam_unix module in the account stack since it will fail. The two ways to deal with that are either to not run the pam_unix account module if Kerberos succeeds (which is what you did, but which means you can't disable an account locally easily), or to leave the account in shadow but with a password of "!" or "*" (adduser --disabled-password) so that local password authentication can't work. I'll clarify that in the README. -- Russ Allbery ([EMAIL PROTECTED]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
