Bug 117978

Summary: su doesn't work as a user with enforcing=1
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: policyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED RAWHIDE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: dwalsh, rvokal, twaugh
Target Milestone: ---Keywords: SELinux
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-04-07 02:09:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 114961    

Description Bill Nottingham 2004-03-10 18:59:39 UTC 
Gets 'incorrect password'.

Error is:

pam_krb5: authentication fails for 'root' (root):
Authentication failure (Cannot resolve network address for KDC in
requested realm)

Why would enforcing mode cause it to look up root in kerberos?


Expected results:


Additional info:
Comment 1 Tim Waugh 2004-03-11 15:11:36 UTC 
What versions of anything?  Clean install?
Comment 2 Bill Nottingham 2004-03-11 15:16:28 UTC 
Clean install of yesterday, upgraded to 1.8-5. coreutils-5.2.0-8.
Still happens.
Comment 3 Tim Waugh 2004-03-11 15:20:04 UTC 
Seems to be a krb5 thing.  Doesn't happen without it configured.
Comment 4 Bill Nottingham 2004-03-11 15:20:34 UTC 
[notting@apone: ~]$ cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so
 
account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
 
password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so
 
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
Comment 5 Daniel Walsh 2004-03-11 19:28:15 UTC 
Any avc messages?
Comment 6 Bill Nottingham 2004-03-11 20:47:01 UTC 
Only the gconv-modules ones.
Comment 7 Bill Nottingham 2004-03-11 20:48:39 UTC 
Aha. In permissive mode:

{read} exe=/bin/su name=krb5.conf scontext=:user_u:user_r:user_su_t
tcontext=system_u:object_r:krb5_conf_t
Comment 8 Daniel Walsh 2004-03-25 18:20:17 UTC 
Fixed in policy-1.9-15