misc/45263: [PATCH] mk.conf(5) should warn of the interaction between MKKERBEROS=no and PAM

[idleroux%fastmail.fm@localhost]

>Number:         45263
>Category:       misc
>Synopsis:       [PATCH] mk.conf(5) should warn of the interaction between 
>MKKERBEROS=no and PAM
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    misc-bug-people
>State:          open
>Class:          doc-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 18 05:50:01 +0000 2011
>Originator:     Ian D. Leroux
>Release:        NetBSD/amd64-5.99.55
>Organization:
Aarhus Universitet
>Environment:
NetBSD scrameustache.dyndns.org 5.99.55 NetBSD 5.99.55 (SCRAMEUSTACHE) #1: Sat 
Jul 30 10:04:27 CEST 2011  
idleroux%scrameustache.dyndns.org@localhost:/build/obj/sys/arch/amd64/compile/SCRAMEUSTACHE
 amd64

>Description:
As discussed in PR 40599 and in the recent subthread beginning at
http://mail-index.netbsd.org/current-users/2011/08/11/msg017330.html,
setting MKKERBEROS=no breaks the default PAM stacks, which fail if pam_ksu.so 
and pam_krb5.so cannot be found.  Among other things, this means that a system 
built with MKKERBEROS=no does not, by default, allow any logins.

The proper fix for this is still a subject of debate, and may take some time.  
Meanwhile, the user should be warned that setting MKKERBEROS=no requires 
adjustments to their PAM configuration.
>How-To-Repeat:
man mk.conf
>Fix:
--- mk.conf.5.orig      2011-08-18 07:09:08.000000000 +0200
+++ mk.conf.5   2011-08-18 07:26:53.000000000 +0200
@@ -424,6 +424,13 @@
 .YorN
 Indicates whether the Kerberos v5 infrastructure
 (libraries and support programs) is built and installed.
+Note that the default configuration for PAM relies on the Kerberos
+modules pam_ksu.so and pam_krb5.so.  Do not install a userland
+built with
+.Sy MKKERBEROS=yes
+before adjusting the PAM configuration appropriately
+(see
+.Xr pam.conf 5 ).
 .DFLTy
 .
 .It Sy MKKMOD