Bug 161010

Summary: Bad: Doesn't work
Product: [Fedora] Fedora Reporter: Travis Groth <lists>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4CC: jpmahowald
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-10-03 03:53:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Travis Groth 2005-06-19 18:50:20 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
Doesn't appear to do *anything*.  I've manually dropped /etc/pam.d/gdm in from my FC3 install, and I get an authentication failure before I even enter my password.  It fails on the username.  Ditto if i use authconfig to add the kerberos line.  I've played with pam_krb5.so in system config and several other places.  If it is before pam_unix.so (not the default), it fails despite kinit having no issues and this same pam file working in FC3.  If I put it after the pam_unix.so entry, it auths via pam_unix and goes on it's merry way, never obtaining a kerberos ticket like it's supposed to.  

My best technical guess is a bug in the version of pam_krb5.so where it throws auth failures early or every time.  This needs to be fixed ASAP.  

Version-Release number of selected component (if applicable):
pam_krb5-2.1.7-3

How reproducible:
Always

Steps to Reproduce:
1.  Try to use pam_krb5.so for authentication and aquisition of initial kerberos ticket 
2.
3.
  

Actual Results:  Throws an auth failure to pam before prompting for a password.

Expected Results:  Wait for password before throwing either success or failure to pam, then obtain a kerberos ticket if there is success.

Additional info:

I'm classifying this as "Security" to get additional attention.  On any centralized network this bug totally renders kerberos authentication useless.  With this bug, FC4 is completely unusable on many corporate and acedemic networks which depend on kerberos.  It must be fixed immediately.

Comment 1 Travis Groth 2005-06-27 07:02:59 UTC
Without additional tweaking from myself pam_krb5 suddenly auths properly and
grants me a kerberos ticket.  I don't know what voodoo charm did it, but this
seems to be solved now.  

Comment 2 John Mahowald 2005-10-03 03:53:02 UTC
Closed NOTABUG.