Hi Petter, On Mon, May 03, 2010 at 06:45:44PM +0200, Petter Reinholdtsen wrote: > Indenpendent of how the pam setup should be, I believe it would be > useful to be able to restrict the range of uids handled by ccreds. :) > > [Guido Günther] > > That's a matter of your pam configuration. libpam-ccreds shouldn't > > act on pam_unix at all but only on pam_ldap/Kerberos. If your > > configuration does this differently it's broken. > > This is the configuration at the moment, generated by pam-auth-update: > > r...@pxe-test2-pre:~# grep -v '#' /etc/pam.d/common-auth > auth [success=4 default=ignore] pam_unix.so nullok_secure > auth [success=3 default=ignore] pam_ldap.so use_first_pass > auth [success=2 default=ignore] pam_ccreds.so action=validate > use_first_pass > auth [default=ignore] pam_ccreds.so action=update > auth requisite pam_deny.so > auth required pam_permit.so > auth optional pam_ccreds.so action=store > r...@pxe-test2-pre:~# > > What do you mean is wrong with this configuration? What would the > correct configuraiton look like? You're falling through to pam_ldap if auth fails. See the pam.conf example in the libpam-ccreds package on howto prevent this. You only proceed for unknown_user not for other auth failures. Cheers, -- Guido
-- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
