Bug 145740

Summary: pam_krb5 TGT not consistent with kinit TGT
Product: [Fedora] Fedora Reporter: Dax Kelson <dkelson>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 3CC: mattdm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-02-05 00:51:15 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Dax Kelson 2005-01-20 19:11:05 EST
Description of problem:

The krb5-libs package owns the file /etc/krb5.conf.

It contains the snippets:

[libdefaults]
#ticket_lifetime = 24000  <--- authconfig adds this line if run
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false


[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

These are the default entries (other than the REALM name). It appears
the intent is to obtain forwardable tickets or maybe not.

When obtaining a TGT via pam_krb5, the ticket is forwardable and
renewable. When obtaining a ticket via kinit or the gnome-kerberos
tool it isn't (unless you manually specify cmd line options).

Is this the intended behavior?

To make kinit consistent with pam_krb5 then the stock [libdefaults]
section should look like:

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 renew_lifetime = 36000
 forwardable = true
Comment 1 Dax Kelson 2005-01-20 19:12:52 EST
never mind my comment: (other than the REALM name)
Comment 2 Matthew Miller 2006-07-10 18:32:19 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 3 petrosyan 2008-02-05 00:51:15 EST
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug.