Red Hat Bugzilla – Full Text Bug Listing
|Summary:||user gets no cached credentials after changing expired password on login|
|Product:||[Fedora] Fedora||Reporter:||Nalin Dahyabhai <nalin>|
|Component:||pam_krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED CURRENTRELEASE||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||FC5||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2006-09-21 22:21:19 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:||169966|
Description Nalin Dahyabhai 2006-01-27 11:35:32 EST
+++ This bug was initially created as a clone of Bug #169966 +++ We have seen this bug before wrt pam_krb5-1.75 in RHEL 2.1. The bug has come back in pam_krb5-2.1.2-1-i386 and pam_ccreds-1-3-i386 in RHEL 4 U1. Previous bugzilla at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110948 . When a user with an expired password tries to log in, he is allowed to change his password but no credential cache is created. -- Additional comment from firstname.lastname@example.org on 2005-10-05 18:09 EST -- Ok, I think I've tracked down the problem. Looks like the issue is that after the chauthtok phase, the stash->v5result is still set to KRB5KDC_ERR_KEY_EXP. This prevents the session module from storing the cached credentials. The attached patch is a proposed fix that resets stash->v5result to 0 after a successful password change. This seems to correct my reproduction of the problem, but I'm not certain if this is the best place or way to reset this variable. -- Additional comment from email@example.com on 2005-10-05 18:16 EST -- Created an attachment (id=119654) system-auth file used to reproduce the problem Steps to reproduce: 1) set up a kerberos realm with a test user in it 2) build RHEL4 box and use attached (or similar) system-auth file. Configure krb5.conf to authenticate against kerb realm with test user. 3) expire the password of the test user: kadmin> modprinc -pwexpire now testuser 4) log in on console (or telnet to box) as test user. Log in and change password when prompted. 5) note that after this, there are no cached credentials when you run klist.
Comment 1 Bill Nottingham 2006-09-21 22:21:19 EDT
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists in a current Fedora release (such as Fedora Core 5 or later), please reopen and set the version appropriately.