Resending this to the list.

"Markus Moeller" writes:

> I think in api-account.c in line 60 the PAM_SUCCESS should be changed to
> PAM_IGNORE, otherwise if you stack pam modules like:
>
> other account sufficient pam_krb5
> other account required pam_unix
>
> and check for a local non Kerberos user the account management by pam_unix
> (password expiry, etc..) will be ignored.


I would agree with you except PAM_IGNORE is not a permissible return code
for a PAM module according to the Linux PAM standard, which is as close to
a standard as we have.

Normally, you don't need to do the above. Other things don't work if the
user doesn't have a basic existence in the nsswitch setup for the system,
at which point pam_unix's account module will succeed.

--
Russ Allbery (rra@stanford.edu)