In order to take the path of moving this setting to a krb5.conf snippet that's included by the default krb5.conf, at the very least it needs to work with both Heimdal and MIT. I don't think Heimdal supports including krb5.conf snippets, which means we can't use the include functionality in kerberos-configs.
The upgrade path for this is going to be awful no matter what. :( I don't think it's acceptable from a security standpoint for minimum_uid to be turned off by an upgrade without an affirmative response from the user (not any sort of default), and we can't use any sort of krb5-config dependency to ensure that a Kerberos configuration fragment is available (even if Heimdal supports it) because krb5-config intentionally doesn't mess with a user-supplied krb5.conf file. So we'd have to do something really fancy here that preserves the minimum_uid setting for all old installations unless the admin intentionally removes it, and I'm not entirely sure how to do that. All the approaches I can think of have obvious ways in which the setting is lost. Some sort of user override on the default pam-auth-update configuration would be ideal, but I can understand that not being a priority. I would love to find a way to fix this, but we really *cannot* have an upgrade turn off minimum_uid without user intervention. I think a package that would do that would deserve a CVE due to the security vulnerabilities that can introduce, since the local admin may be relying on that setting for local security. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/369575 Title: Why is /usr/share/pam-configs/krb5 specifying minimum_uid= ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/kerberos-configs/+bug/369575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
