Bug#511010: doc: don't require pam_unix.so

Tue, 06 Jan 2009 09:03:17 -0800 

Package: libpam-krb5
Version: 3.11-3
Severity: normal

Hi,
using pam as suggested by README.Debian gives me:

| sshd[10016]: error: PAM: User account has expired for xy from foo

when trying to log on a kerberos user. If I change the account part as
attached it works as expected.
Cheers,
 -- Guido

>From 611863d36876854513513209d327f64552cd2795 Mon Sep 17 00:00:00 2001
From: =?utf-8?q?Guido=20G=C3=BCnther?= <a...@sigxcpu.org>
Date: Tue, 6 Jan 2009 17:47:02 +0100
Subject: [PATCH] don't require pam_unix.so for kerberos

since it returns with "User account has expired"
---
 debian/README.Debian |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/debian/README.Debian b/debian/README.Debian
index 4e7c4b9..8c46142 100644
--- a/debian/README.Debian
+++ b/debian/README.Debian
@@ -18,8 +18,8 @@ In /etc/pam.d/common-session:
 
 In /etc/pam.d/common-account:
 
-    account  required  pam_krb5.so minimum_uid=1000
-    account  required  pam_unix.so
+    account  sufficient  pam_unix.so
+    account  required    pam_krb5.so minimum_uid=1000
 
 (Note that the account function of pam_krb5.so will always succeed if the
 user didn't log in via Kerberos, so this is will still allow access via a
-- 
1.6.0.3

Reply via email to