Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Cannot unlock kdesktop_lock when using Kerberos authentication|
|Component:||pam_krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED WONTFIX||QA Contact:||Brian Brock <bbrock>|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-05-06 12:04:16 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description blomman 2006-07-01 04:45:03 EDT
Description of problem: When using Kerberos authentication it is not possible to unlock the screen saver (kdesktop_lock) when it is locked. After entering the password an error message is displayed: "Cannot unlock the session because the authentication system failed to work; you must kill kdesktop_lock (pid 2753) manually." The associated messages in /var/log/messages are: kcheckpass: pam_krb5: authentication succeeds for 'user' (user@EXAMPLE.COM) kcheckpass: pam_krb5: won't refresh credentials while running setuid/setgid The associated messages in /var/log/secure are: kcheckpass: pam_unix(kscreensaver:auth): authentication failure; logname=user uid=500 euid=0 tty=:0 ruser= rhost= user=user Note: username and Kerberos domain replaced with fake. Version-Release number of selected component (if applicable): 2.2.6-2.2 How reproducible: Every time Steps to Reproduce: 1. Setup Kerberos authentication with system-config-authentication 2. Lock the screen 3. Unlock the screen (will fail) Actual results: An error message is displayed and the screen is not unlocked. Expected results: The screen should unlock. Workaround: Setup a local password for the account on the computer. The local password should not be the same as the Kerberos password since this will inhibit authentication via the Kerberos server. When unlocking the screen, use the local password instead of the Kerberos password.
Comment 1 Nalin Dahyabhai 2006-07-05 10:33:43 EDT
Just to help with reproducing this, you've got all of the FC5 updates applied? (CCing the kdebase package owner in case this is a known problem.)
Comment 2 Ngo Than 2006-07-05 11:19:21 EDT
it seems pam_krb5 does not refresh credentials while kcheckpass running setuid! Does it work for you if you remove the setuid of kcheckpass (chmod 755 /usr/bin/kcheckpass) ? Nalin, do you know why using pam_ldap requires root priviliges? for more infos please take a look at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=189790 Thanks
Comment 3 Nalin Dahyabhai 2006-07-05 11:31:51 EDT
The module doesn't try to refresh credentials when it's running setuid root. The module has to get the location of the current credential cache from an environment variable, and I don't trust that in a setuid case. I guess the module could return PAM_IGNORE instead of PAM_SERVICE_ERR in that case, or the unlock program could simply ignore the error code, as this isn't the only error which might be generated (the documentation for PAM isn't really clear on what the application is supposed to do if pam_setcred() returns a failure code). I'd need more information about the configuration to be sure, but bug #189790 could be caused by a configuration in which access to the directory server is only possible for the root user (e.g., setting a "rootbinddn", storing a password in /etc/ldap.secret, and configuring the directory server to deny unauthenticated search requests).
Comment 4 blomman 2006-07-05 15:53:56 EDT
All updaes were applied. As a matter of fact, it all worked before applying the updates. Sorry, forgot to mension this. I bet that kcheckpass being changed to suid root in some kdebase update caused this to happen. Then we have a problem. Kerberos authentication requires kcheckpass not to be suid root but LDAP authentication require it to be. I do not have the computer with the problem infront of me right now. I'll verify tomorrow that a chmod 755 will indeed solve the problem.
Comment 5 blomman 2006-07-06 13:34:24 EDT
Verified! A "chmod 755 /usr/bin/kcheckpass" solved the problem. But of course, the bug is still there. At the next update I'll have to chmod again.
Comment 6 Bug Zapper 2008-04-03 23:12:41 EDT
Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers
Comment 7 Bug Zapper 2008-05-06 12:04:14 EDT
This bug is open for a Fedora version that is no longer maintained and will not be fixed by Fedora. Therefore we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen thus bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.