Bug 197428

Summary: Cannot unlock kdesktop_lock when using Kerberos authentication
Product: [Fedora] Fedora Reporter: blomman
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5CC: than, triage
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-05-06 12:04:16 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description blomman 2006-07-01 04:45:03 EDT
Description of problem:
When using Kerberos authentication it is not possible to unlock the screen saver
 (kdesktop_lock) when it is locked. After entering the password an error message
is displayed:

"Cannot unlock the session because the authentication system failed to work; you
must kill kdesktop_lock (pid 2753) manually."

The associated messages in /var/log/messages are:

kcheckpass: pam_krb5[2764]: authentication succeeds for 'user' (user@EXAMPLE.COM)
kcheckpass: pam_krb5[2764]: won't refresh credentials while running setuid/setgid

The associated messages in /var/log/secure are:

kcheckpass: pam_unix(kscreensaver:auth): authentication failure; logname=user
uid=500 euid=0 tty=:0 ruser= rhost= user=user

Note: username and Kerberos domain replaced with fake.


Version-Release number of selected component (if applicable):
2.2.6-2.2

How reproducible:
Every time

Steps to Reproduce:
1. Setup Kerberos authentication with system-config-authentication
2. Lock the screen
3. Unlock the screen (will fail)
  
Actual results:
An error message is displayed and the screen is not unlocked.

Expected results:
The screen should unlock.

Workaround:
Setup a local password for the account on the computer. The local password
should not be the same as the Kerberos password since this will inhibit
authentication via the Kerberos server. When unlocking the screen, use the local
password instead of the Kerberos password.
Comment 1 Nalin Dahyabhai 2006-07-05 10:33:43 EDT
Just to help with reproducing this, you've got all of the FC5 updates applied? 
(CCing the kdebase package owner in case this is a known problem.)
Comment 2 Ngo Than 2006-07-05 11:19:21 EDT
it seems pam_krb5 does not refresh credentials while kcheckpass running 
setuid!

Does it work for you if you remove the setuid of kcheckpass (chmod 
755 /usr/bin/kcheckpass) ?

Nalin, do you know why using pam_ldap requires root priviliges?
for more infos please take a look at 
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189790


Thanks
Comment 3 Nalin Dahyabhai 2006-07-05 11:31:51 EDT
The module doesn't try to refresh credentials when it's running setuid root. 
The module has to get the location of the current credential cache from an
environment variable, and I don't trust that in a setuid case.

I guess the module could return PAM_IGNORE instead of PAM_SERVICE_ERR in that
case, or the unlock program could simply ignore the error code, as this isn't
the only error which might be generated (the documentation for PAM isn't really
clear on what the application is supposed to do if pam_setcred() returns a
failure code).

I'd need more information about the configuration to be sure, but bug #189790
could be caused by a configuration in which access to the directory server is
only possible for the root user (e.g., setting a "rootbinddn", storing a
password in /etc/ldap.secret, and configuring the directory server to deny
unauthenticated search requests).
Comment 4 blomman 2006-07-05 15:53:56 EDT
All updaes were applied. As a matter of fact, it all worked before applying the
updates. Sorry, forgot to mension this. I bet that kcheckpass being changed to
suid root in some kdebase update caused this to happen. Then we have a problem.
Kerberos authentication requires kcheckpass not to be suid root but LDAP
authentication require it to be.

I do not have the computer with the problem infront of me right now. I'll verify
tomorrow that a chmod 755 will indeed solve the problem.
Comment 5 blomman 2006-07-06 13:34:24 EDT
Verified!

A "chmod 755 /usr/bin/kcheckpass" solved the problem. But of course, the bug is
still there. At the next update I'll have to chmod again.
Comment 6 Bug Zapper 2008-04-03 23:12:41 EDT
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.

If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to a current Fedora release. In order to
refocus our efforts as a project we are flagging all of the open bugs
for releases which are no longer maintained and closing them.
http://fedoraproject.org/wiki/LifeCycle/EOL

If this bug is still open against Fedora Core 1 through 6, thirty days
from now, it will be closed 'WONTFIX'. If you can reporduce this bug in
the latest Fedora version, please change to the respective version. If
you are unable to do this, please add a comment to this bug requesting
the change.

Thanks for your help, and we apologize again that we haven't handled
these issues to this point.

The process we are following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.

And if you'd like to join the bug triage team to help make things
better, check out http://fedoraproject.org/wiki/BugZappers
Comment 7 Bug Zapper 2008-05-06 12:04:14 EDT
This bug is open for a Fedora version that is no longer maintained and
will not be fixed by Fedora. Therefore we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen thus bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.