Re: pam_krb5 3.9 bug in account management ?
Resending this to the list.
"Markus Moeller" <firstname.lastname@example.org> writes:
> I think in api-account.c in line 60 the PAM_SUCCESS should be changed to
> PAM_IGNORE, otherwise if you stack pam modules like:
> other account sufficient pam_krb5
> other account required pam_unix
> and check for a local non Kerberos user the account management by pam_unix
> (password expiry, etc..) will be ignored.[/color]
I would agree with you except PAM_IGNORE is not a permissible return code
for a PAM module according to the Linux PAM standard, which is as close to
a standard as we have.
Normally, you don't need to do the above. Other things don't work if the
user doesn't have a basic existence in the nsswitch setup for the system,
at which point pam_unix's account module will succeed.
Russ Allbery (email@example.com) <http://www.eyrie.org/~eagle/>