[Fwd: kclient version 2 [PSARC/2007/401 FastTrack timeout 07/13/2007]]

[Shawn M. Emery]

Gary Winiger wrote:
>> Gary Winiger wrote:
>>     
>>>> -s pam_service: where pam_service is the service name to be configured for
>>>> 	Kerberos authentication in the pam.conf(4) file
>>>>     
>>>>         
>>> 	What becomes of the account and password module type stacks?
>>>   
>>>       
>> Those are left untouched as the configurations that I've seen for these 
>> can range quite a bit.
>>     
>>> 	I understand that session is a pam_krb5(5) no-op, but for
>>> 	completeness what becomes of the session module type stack?
>>>   
>>>       
>> This is left untouched as well.
>>     
>
> 	Now I am confused.  The default delivered pam.conf(4) doesn't
> 	deliver account management, password or session entries for
> 	pam_krb5(5).  Are you saying these stacks are unnecessary and
> 	the pam_krb5(5) man page is incorrect?
>   

The man page describes various permutations of these stacks.  Which one 
is incorrect?  That is difficult to know.  Should we provide another 
interface that we can specify the control flag and hope that they know 
which account authorities will be updated during change password?

> 	As I read kclient, I would have expected all I needed to correctly
> 	configure a service would have been -s <service>.
> 	If that's not the case, then it seems to me that either the
> 	pam_krb5(5) man page needs correction, or kclient needs to do more
> 	work, or the kclient man page needs to say -s only does part of the
> 	job and the admin must use $EDITOR to do the rest as described on
> 	the pam_krb5(5) man page.
>   

The point was to cover a broad range of environments w/o having to know 
about control flags and their affects.  But if this is not sufficient we 
need to either increase the complexity of the interface or make more 
assumptions of their environment.

Shawn.
--