[pam-0.99.6.0] Hi all, I'm trying to come up with a good account section for systems operating under "disconnected auth", that is, network auth when there is no network or the server went away. I'm testing for now with nss info in ldap and kerberos auth (pam_krb5). For the nss part I'm using nss_db + nss_updatedb. This means that using "user_unknown=ignore" like shown below doesn't work as intended, because the user *is* known (but not listed in /etc/passwd or shadow): account [user_unknown=ignore default=done] pam_unix.so account [authinfo_unavail=ignore default=done] pam_krb5.so account required pam_permit.so With the above setup, pam_unix fails. It seems the only way to make this work is to either add "authinfo_unavail=ignore" or "broken_shadow" to pam_unix, like this: account [user_unknown=ignore default=done] pam_unix.so broken_shadow account [authinfo_unavail=ignore default=done] pam_krb5.so account required pam_permit.so or account [user_unknown=ignore authinfo_unavail=ignoredefault=done] pam_unix.so account [authinfo_unavail=ignore default=done] pam_krb5.so account required pam_permit.so I also thought about making pam_unix "sufficient", but this would make it possible for local users to bypass authorization rules, no? Any thoughts? Thanks in advance. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
