Bug 179132

Summary: user gets no cached credentials after changing expired password on login
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: FC5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-09-21 22:21:19 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 169966    
Bug Blocks:    

Description Nalin Dahyabhai 2006-01-27 11:35:32 EST
+++ This bug was initially created as a clone of Bug #169966 +++

We have seen this bug before wrt pam_krb5-1.75 in RHEL 2.1. The bug has come
back in pam_krb5-2.1.2-1-i386 and pam_ccreds-1-3-i386 in RHEL 4 U1.

Previous bugzilla at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110948 .

When a user with an expired password tries to log in, he is allowed to change
his password but no credential cache is created.

-- Additional comment from tao@redhat.com on 2005-10-05 18:09 EST --

Ok, I think I've tracked down the problem. Looks like the issue is that
after the chauthtok phase, the stash->v5result is still set to
KRB5KDC_ERR_KEY_EXP. This prevents the session module from storing the
cached credentials.

The attached patch is a proposed fix that resets stash->v5result to 0 after
a successful password change. This seems to correct my reproduction of the
problem, but I'm not certain if this is the best place or way to reset
this variable.

-- Additional comment from jlayton@redhat.com on 2005-10-05 18:16 EST --
Created an attachment (id=119654)
system-auth file used to reproduce the problem

Steps to reproduce:

1) set up a kerberos realm with a test user in it

2) build RHEL4 box and use attached (or similar) system-auth file. Configure
krb5.conf to authenticate against kerb realm with test user.

3) expire the password of the test user:

kadmin> modprinc -pwexpire now testuser

4) log in on console (or telnet to box) as test user. Log in and change
password when prompted.

5) note that after this, there are no cached credentials when you run klist.
Comment 1 Bill Nottingham 2006-09-21 22:21:19 EDT
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.