Re: slow su? [solved]

["Ian D. Leroux" <idleroux%fastmail.fm@localhost>]

Quoting "Ian D. Leroux" <idleroux%fastmail.fm@localhost> (Thu, 11 Aug 2011
13:44:10 +0200):
> On Thu, 11 Aug 2011 09:58 +0100, "Matthias Scheler"
> <tron%zhadum.org.uk@localhost> wrote:
> > On Thu, Aug 11, 2011 at 10:22:20AM +0200, Ian D. Leroux wrote:
> > > On Wed, 10 Aug 2011 23:33 +0100, "Matthias Scheler"
> > > <tron%zhadum.org.uk@localhost> wrote:
> > > > It doesn't depend on the "heimdal" package on my system. Do you
> > > > perhaps build the base system without Kerberos support?
> > >
> > > Yes, I just started doing that.
> >
> > May I ask why? I just wonder why people go through a lot of trouble
> > to save a few megabyte of disk space.
> 
> [rant on the value of trying non-default configurations in -current]

I should point out, in fairness, that there is at least one good
reason not to mess with MKKERBEROS=no even if you have no use for
Kerberos.  The default PAM configuration assumes and requires the
presence of pam_krb5.so and pam_ksu.so.  If you install a system built
without Kerberos, you must adjust the /etc/pam.d/* files so that your
PAM stacks don't try to load those modules.  Since editing PAM
configuration is a high-risk proposition, as David Holland pointed out
earlier in this thread, you probably don't want to go this route
without good reason.

Otherwise, you're liable to get bitten someday when the old kerberised
PAM modules left behind by your first installation stop working, the
PAM stacks fail to load and su (and probably other valuable bits of the
system as well) refuse to run.

This is implicit in the NOTES section of pam.conf(5), but easily
overlooked.

Regards,

-- 
Ian D. Leroux <idleroux%fastmail.fm@localhost>