pam_krb5 pam_sm_authenticate question

[Corey Smith]

First time poster so be kind :)

I was looking at the pam_krb5.c code and noticed that for authentication
to succeed getpwnam() has to succeed.

Previously I had setup a web site using mod_auth_pam to authenticate
against an active directory (AD) server using a pam config like:

# auth
auth            required        pam_krb5.so     no_ccache no_warn

# account
account         required        pam_permit.so

Using security/pam_krb5 this was OK.  I didn't need to have AD users in
my local /etc/passwd for authentication to be successful.  This is not
possible using FreeBSD's pam_krb5.so because of the getpwnam in the
authentication function of pam_krb5.c.

I'm not trying to build a bikeshed but shouldn't pam_sm_authenticate
verify the password and pam_sm_acct_mgmt verify that the user has a
local account?

If this were the case then you could setup other services like ftp and
such to use pam_krb5 for AD authentication.

-Corey Smith