Bug 108435

Summary: krb5 logins fail
Product: [Fedora] Fedora Reporter: Michael K. Johnson <johnsonm>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-10-29 10:29:29 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 100643    

Description Michael K. Johnson 2003-10-29 10:26:58 EST
I just updated yesterday (tue oct 28) to latest rawhide, and now only
local users can log in; users authenticated by kerberos cannot log in.

The login attempt looks like this:

$ ssh donal
johnsonm@[censored]'s password: 
Connection to [censored] closed by remote host.
Connection to [censored] closed.

/var/log/secure says:

sshd[10614]: Accepted password for [censored] from [censored] port [censored] ssh2
sshd[10616]: pam_krb5[10616]: default/local realm 'REDHAT.COM'
sshd[10616]: pam_krb5[10616]: configured realm 'REDHAT.COM'
sshd[10616]: pam_krb5[10616]: flags:
sshd[10616]: pam_krb5[10616]: flag: user_check
sshd[10616]: pam_krb5[10616]: flag: no krb4_convert
sshd[10616]: pam_krb5[10616]: flag: warn
sshd[10616]: pam_krb5[10616]: renewable lifetime: 0 
sshd[10616]: pam_krb5[10616]: banner: Kerberos 5
sshd[10616]: pam_krb5[10616]: ccache dir: /tmp
sshd[10616]: pam_krb5[10616]: keytab: /etc/krb5.keytab
sshd[10616]: pam_krb5[10616]: called to update credentials for '[censored]'
sshd[10616]: pam_krb5[10616]: _pam_krb5_sly_refresh returning 0 (Success)
sshd[10616]: fatal: PAM setcred failed[3]: Error in service module

/etc/pam.d/system-auth says:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_krb5.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow nis
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so

# rpm -qa | grep krb5
Comment 2 Michael K. Johnson 2003-10-29 10:29:29 EST
/dev/md1               4134832   4133572         0 100% /