On Thu, Jul 16, 2009 at 11:58, Les Mikesell<les@xxxxxxxxxxxxxxxx> wrote: > This isn't strictly a PAM issue, but rather with the default RHEL5.x > configuration (and Centos, and probably fedora). Does anyone know what they > were thinking? Ostensibly, they were trying to authenticate system users without passing said users' credentials on to winbind. Whether intentional or not, it seems they assumed users would have a UID that could be resolved by pam_unix. That's often the case, but with proper enterprise-level user management (no local accounts) the assumption breaks. > Should most pam auth modules know anything about uid's? By all means - auth is probably the most important place for UIDs/GIDs to be known. > I thought that was account info. If the idea is to keep the 'system' accounts > (below 500 by convention)in the passwd file, is there a better way to do it? Probably should have used something to this effect instead of 'requisite': [success=ok new_authtok_reqd=ok ignore=ignore default=die user_unknown=ignore] Which is, of course, according to pam.conf(5) the same as 'requisite' with the added control of ignoring unknown users. Allows the stack to shortcut if it's a system user with bad credentials but still passes completely unresolved credentials on. _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
