Indenpendent of how the pam setup should be, I believe it would be
useful to be able to restrict the range of uids handled by ccreds. :)
[Guido Günther]
> That's a matter of your pam configuration. libpam-ccreds shouldn't
> act on pam_unix at all but only on pam_ldap/Kerberos. If your
> configuration does this differently it's broken.
This is the configuration at the moment, generated by pam-auth-update:
r...@pxe-test2-pre:~# grep -v '#' /etc/pam.d/common-auth
auth [success=4 default=ignore] pam_unix.so nullok_secure
auth [success=3 default=ignore] pam_ldap.so use_first_pass
auth [success=2 default=ignore] pam_ccreds.so action=validate
use_first_pass
auth [default=ignore] pam_ccreds.so action=update
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_ccreds.so action=store
r...@pxe-test2-pre:~#
What do you mean is wrong with this configuration? What would the
correct configuraiton look like?
It was generated using this pam-configs entires:
r...@pxe-test2-pre:~# for f in /usr/share/pam-configs/lo-ccreds-*; do echo $f;
cat $f; done
/usr/share/pam-configs/lo-ccreds-check
Name: Ccreds credential caching - password checking
Default: yes
Priority: 0
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_ccreds.so action=validate
use_first_pass
[default=ignore] pam_ccreds.so action=update
/usr/share/pam-configs/lo-ccreds-save
Name: Ccreds credential caching - password saving
Default: yes
Priority: 512
Auth-Type: Additional
Auth:
optional pam_ccreds.so action=store
r...@pxe-test2-pre:~#
Happy hacking,
--
Petter Reinholdtsen
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
