Bug 178931
| Summary: | Lots of new pam_krb5 messages after update | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Orion Poplawski <orion> |
| Component: | vixie-cron | Assignee: | Marcela Mašláňová <mmaslano> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Brock Organ <borgan> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 4 | CC: | davej, nalin, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | vixie-cron-4.1-41.FC4 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2006-08-29 13:55:52 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 179037 | ||
| Bug Blocks: | |||
|
Description
Orion Poplawski
2006-01-25 16:12:45 UTC
*** Bug 178939 has been marked as a duplicate of this bug. *** This bug is now fixed with vixie-cron-4.1-41.FC4, released to updates/testing today. With vixie-cron-4.1-40.FC4, after it came to my attention that the pam_unix module did nothing for the session phase except log unwanted messages, I changed the /etc/pam.d/crond file from: --- auth sufficient pam_rootok.so auth required pam_stack.so service=system-auth auth required pam_env.so account required pam_stack.so service=system-auth account required pam_access.so session required pam_stack.so service=system-auth session required pam_loginuid.so --- To: --- auth sufficient pam_rootok.so auth required pam_stack.so service=system-auth auth required pam_env.so account required pam_stack.so service=system-auth account required pam_access.so session required pam_loginuid.so session required pam_limits.so session optional pam_krb5.so --- since system-auth contained: --- session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so --- I wanted to keep the crond session stack the same except for the removal of the pam_unix module. This had the unwanted effect of causing the new pam_krb5 debugging log messages to be logged to /var/log/cron: crond[3599]: pam_krb5[3599]: no v5 creds for user 'root', skipping session setup crond[3600]: (root) CMD (logger job $$) crond[3599]: pam_krb5[3599]: no v5 creds for user 'root', skipping session cleanup Having checked with the pam_krb5 maintainer, it now appears that pam_krb5 does nothing for the crond pam session, since it is not a login session - so we can remove pam_krb5 from crond's pam config file also - it is so removed from vixie-cron-4.1-41.FC4's /etc/pam.d/crond . But the weird thing is for pam / pam_krb5 - why did just moving the pam_krb5 session requirement from the system-auth file to the crond file cause the extra debug log messages to be generated ? There's probably some "confusion" between pam_krb5's internal debug() function and the one used by crond. Most of the debugging messages in pam_krb5 are wrapped inside of checks for pam_krb5's debug flag, but these two aren't, so they expose that confusion. From User-Agent: XML-RPC vixie-cron-4.1-41.FC4 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. From User-Agent: XML-RPC vixie-cron-4.1-41.FC4 has been pushed for FC4, which should resolve this issue. If these problems are still present in this version, then please make note of it in this bug report. |