Subject: Re: Kerberos V and xdm
To: Miroslav Ruda <ruda@ics.muni.cz>
From: Mark Davies <mark@mcs.vuw.ac.nz>
List: netbsd-users
Date: 09/27/2001 21:51:58
	From:  Miroslav Ruda <ruda@ics.muni.cz>
	Date:  Thu, 27 Sep 2001 10:44:06 +0200 (CEST)

> Mark Davies wrote:
> > I'm curious why the tests are in that order (the heimdal telnetd also does 
> > these tests in that order).  If you have a user that has the same password in 
> > the local unix passwd file and in kerberos they don't get tickets issued.
 
> It seems very reasonable to me, at least to avoid network problems (you can 
> login using local password without timeout/other problems), to avoid test
> for accounts which should not be tested agains Kerberos (root, ...).

The reason we strike this is that we are in the process of transitioning to
Kerberos so there are still lots of services that arent kerberoised and
require users to have passwords in the local files (and users being users
these are typically the same) and this trips people up as they log in, dont
get a TGT, and then the kerberos authenticated services fail for them.

cheers
mark