Guido Günther <[email protected]> writes: > Hi, > using pam as suggested by README.Debian gives me: > > | sshd[10016]: error: PAM: User account has expired for xy from foo > > when trying to log on a kerberos user. If I change the account part as > attached it works as expected.
By making the change that you propose, what you're doing is bypassing pam_unix's check for whether the account is valid locally. This may be what you want if you're not using local records of accounts at all, but I consider that a more advanced configuration than what's recommended by the package. The package configuration is careful to just add Kerberos authentication without changing any of your existing authorization rules. With this change, for example, you would be unable to disable an account locally without disabling it in Kerberos or doing something more drastic like deleting it or changing the shell. I'll add something more to the documentation about this, explaining the issue. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]

