Guido Günther <[email protected]> writes:

> Hi,
> using pam as suggested by README.Debian gives me:
>
> | sshd[10016]: error: PAM: User account has expired for xy from foo
>
> when trying to log on a kerberos user. If I change the account part as
> attached it works as expected.

By making the change that you propose, what you're doing is bypassing
pam_unix's check for whether the account is valid locally.  This may be
what you want if you're not using local records of accounts at all, but I
consider that a more advanced configuration than what's recommended by the
package.  The package configuration is careful to just add Kerberos
authentication without changing any of your existing authorization rules.

With this change, for example, you would be unable to disable an account
locally without disabling it in Kerberos or doing something more drastic
like deleting it or changing the shell.

I'll add something more to the documentation about this, explaining the
issue.

-- 
Russ Allbery ([email protected])               <http://www.eyrie.org/~eagle/>



--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to