Russ,


I think in api-account.c in line 60 the PAM_SUCCESS should be changed to
PAM_IGNORE, otherwise if you stack pam modules like:

other account sufficient pam_krb5
other account required pam_unix

and check for a local non Kerberos user the account management by pam_unix
(password expiry, etc..) will be ignored.

/*
* Succeed if the user did not use krb5 to login. Yes, ideally we
should
* probably fail and require that the user set up policy properly in
their
* PAM configuration, but it's not common for the user to do so and
that's
* not how other krb5 PAM modules work. If we don't do this, root
logins
* with the system root password fail, which is a bad failure mode.
*/
if (pamret != PAM_SUCCESS || args->ctx == NULL) {
pamret = PAM_SUCCESS;
<= should be PAM_IGNORE
pamk5_debug(args, "skipping non-Kerberos login");
goto done;
}



Markus