Bug 182239

Summary: RFE: Implement V5->V4 credential conversion using "external" in pam_krb5
Product: [Fedora] Fedora Reporter: Jon Fautley <jfautley>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: jan.iven, tao
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 2.2.9-1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-07-19 17:04:59 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 201265    
Attachments:
Description Flags
proposed patch none

Description Jon Fautley 2006-02-21 05:49:02 EST
Implement V5->V4 credential cache conversion in pam_krb5 when using the
"external" option so they can forward v4 credentials to their AFS server.

This is for the 2.2-branch of the pam_krb5 module.
Comment 1 Nalin Dahyabhai 2006-02-23 14:04:59 EST
This should be implemented in pam_krb5 2.2.7 and later.  Closing with resolution
RAWHIDE even if it won't be there just yet due to the FC5 freeze.
Comment 2 Jan Iven 2006-04-25 04:16:56 EDT
This feature does not quite work as expected yet for the case where the K5
principal does not match the local account name. In this case, the "converted"
credentials (Krb4 and AFS) are obtained for the local account principal and are
nonfunctional.
Easy example: "ssh root@machine" ends up with a (nonworking) Krb4 TGT for
root@REALM instead of the converted user@REALM.

Appears to be due to mixing info from the krb5 "stash" with the "userinfo"
converted principal after an existing Krb5 ccache is read back.

Please reopen..
Thanks
Jan
Comment 3 Jan Iven 2006-04-25 10:23:52 EDT
Created attachment 128204 [details]
proposed patch

proposed patch that overrides the userinfo->principal when reading in an
"external" KRB5CCNAME.
Comment 8 Jon Fautley 2006-11-01 06:27:10 EST
Looking through the changelog for pam_krb5 in FC6, this was fixed as of 2.2.9-1
- shouldn't this BZ be closed now? :)

Cheers,

/j
Comment 9 Nalin Dahyabhai 2007-07-19 17:04:59 EDT
Er, yes, it should.  Closing.