Bug 18720

Summary: Unable to authenticate with pam_krb5-1-19
Product: [Retired] Red Hat Linux Reporter: Chris Rode <electro>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED RAWHIDE QA Contact: Aaron Brown <abrown>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2000-10-09 15:38:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chris Rode 2000-10-09 15:38:33 UTC 
Using the default pam_krb5-1-19 shipped with Red Hat Linux 7.0, I am 
unable to authenticate to my kerberos realm.  Downgrading to pam_krb5-1-16 
fixes the problem.  With release 19, after I enter a username at the 
login: prompt, I do not get prompted for a password, I just get a failed 
login.

The messages in /var/log/secure:
Oct  6 11:19:48 vandyk xinetd[458]: START: telnet pid=7787 from=127.0.0.1
Oct  6 11:19:50 vandyk login: pam_krb5: get_config() called
Oct  6 11:19:50 vandyk login: pam_krb5: setting renewable lifetime to 36000
Oct  6 11:19:50 vandyk login: pam_krb5: setting ticket lifetime to 36000
Oct  6 11:19:50 vandyk login: pam_krb5: making tickets forwardable
Oct  6 11:19:50 vandyk login: pam_krb5: ticket directory is "/tmp"
Oct  6 11:19:50 vandyk login: pam_krb5: password-changing banner set 
to "Kerberos 5"
Oct  6 11:19:50 vandyk login: pam_krb5: krb4_convert false
Oct  6 11:19:50 vandyk login: pam_krb5: pam_sm_authenticate() called
Oct  6 11:19:50 vandyk login: pam_krb5: default Kerberos realm is 
MRDUCK.NET
Oct  6 11:19:50 vandyk login: pam_krb5: user is "electro"
Oct  6 11:19:50 vandyk login: pam_krb5: electro has uid 500, gid 500
Oct  6 11:19:50 vandyk login: pam_krb5: attempting to authenticate electro
Oct  6 11:19:50 vandyk login: pam_krb5: authenticate error: Cannot read 
password
Oct  6 11:19:50 vandyk login: pam_krb5: authentication fails for electro
Oct  6 11:19:50 vandyk login: pam_krb5: TGT for electro not verified (no 
required_tgs defined)
Oct  6 11:19:50 vandyk login: pam_krb5: saved return code (7) for later use
Oct  6 11:19:50 vandyk login: pam_krb5: pam_sm_authenticate returning 7 
(Authentication failure)

And the messages from /var/log/messages:
Oct  6 11:19:50 vandyk PAM_unix[7788]: auth could not identify password 
for [electro]
Oct  6 11:19:50 vandyk login[7788]: FAILED LOGIN 1 FROM 
localhost.localdomain FOR electro, Authentication failure

My /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    /lib/security/pam_krb5.so debug
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5 
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
password    requisite     /lib/security/pam_cracklib.so retry=3 
type=MRDUCK.NET
password    sufficient    /lib/security/pam_krb5.so nullok use_authtok
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     optional      /lib/security/pam_krb5.so
session     required      /lib/security/pam_unix.so
Comment 1 Nalin Dahyabhai 2000-10-10 17:57:19 UTC 
Aaargh.  This should be fixed in 1-21, currently in
http://people.redhat.com/nalin/test/, slated for inclusion in the next Raw Hide
snapshot.
Comment 2 Chris Rode 2000-10-11 03:57:27 UTC 
Thanks Nalin, the pam_krb5-1-21 release works like a charm. :)