Flawed logic in sys::pam
Looking at possible ways to make sys::pam
configure pam_krb5
without existing Kerberos keytab I stumbled upon this code.
It makes the strong assumption that a section with the hard-coded descriptive name Kerberos authentication should not be enabled if a hard-coded file /etc/krb5.keytab
does not exist.
This is strongly coupled to the GSI specific setup in our wrapper cookbook and does not belong here IMHO. The logic should be deleted here and move to the wrapper cookbook.
In the big picture it may be completely superfluous:
- The Kerberos authentication
pamupdate
stanza is defined withDefault = 'no'
in the wrapper cookbook and has to be turned on explicitly. - The configuration of the
pam_krb5
module must not break logins in case of misconfiguration or inoperable Kerberos infrastructure.