On Sun, Jul 16, 2000 at 09:42:28AM -0700, Greywolf wrote:

 > That's broken, IMO.  If the kerberos method is not included in the
 > nsswitch.conf, it ought not be consulted, I think.  Or does that "break"
 > things?

Well, actually, Kerberos doesn't really fit into the nsswitch model.

In the Athena environment (the original user of Kerberos), Hesiod (i.e.
"dns" in nsswitch.conf) is used for the user/group database info, and
Kerberos is used to authenticate the users.  Kerberos is also used to
authenticate a person for access to another shared user account, such
as root (this is how su(1) works w/ Kerberos).

They're really two disjoint things, that happened to unfortunately crammed
together back when the Unix password database format was invented.

-- 
        -- Jason R. Thorpe <thorpej@zembu.com>