Bug 219916

Summary: [PATCH] RHN Satellite and pam hangs when accounts have password expired.
Product: Red Hat Satellite 5 Reporter: Jose Plans <jplans>
Component: ServerAssignee: Jesus M. Rodriguez <jesusr>
Status: CLOSED CURRENTRELEASE QA Contact: wes hayutin <whayutin>
Severity: high Docs Contact:
Priority: high    
Version: 410CC: cperry, rhn-bugs, tao
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sat500 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-26 03:08:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 173427, 221611    
Attachments:
Description Flags
patch.
none
jpam-0.4-pam_conv.patch
none
jpam-0.4-pam_conv.patch [small fix]
none
pam_conv fixing typo.
none
Test case none

Description Jose Plans 2006-12-16 11:17:16 UTC 
Description of problem:
If Satellite is using pam authentication, if in the DS or user database the
password is marked as expired, the threads will just hang or segfault with
messages like :

--
From catalina.out:
2006-12-15 06:18:23,301 [TP-Processor8] WARN 
com.redhat.rhn.frontend.servlets.ContextFilter - timezone still null
free(): invalid pointer 0xb75b7400!
2006-12-15 06:18:23,316 [TP-Processor8] WARN 
com.redhat.rhn.domain.user.legacy.LegacyRhnUserImpl - PAM login for user User
jpam_test (id 3, org_id 1) failed with error User account has expired.
--

After digging, we found out that the PAM_conv function used in jpam (even
upstream) was extremelly weak not handling any style messages from PAM. 

Following two builds of jpam, we manage to fix the problem which was : if we get
PAM_ERROR_MSG or PAM_TEXT_INFO, then notify and adapt strings.

Version-Release number of selected component (if applicable):
all of the jpam available.

How reproducible:
Always.

Steps to Reproduce:
1. Setup a pam auth.
2. Expire the password
3. See it hanging when accessing with the account.
  
Actual results:
Hangs.

Expected results:
No Hangs.

Additional info:
Patch tested and in production fixing the problem.
We will request a hotfix soon next week, please roll a new package.

    Jose
Comment 1 Jose Plans 2006-12-16 11:17:16 UTC 
Created attachment 143848 [details]
patch.
Comment 4 Jose Plans 2006-12-17 00:31:30 UTC 
Created attachment 143862 [details]
jpam-0.4-pam_conv.patch

Ok this one is cleaner and easier to evolve / adapt.
For the case default, there is a need to clean the messages.

First patch fixes the problem, this one fixes it too, but customer has not
tested it yet.
Comment 6 Jose Plans 2006-12-17 13:10:54 UTC 
Created attachment 143866 [details]
jpam-0.4-pam_conv.patch [small fix]
Comment 8 Jose Plans 2006-12-19 01:07:07 UTC 
Created attachment 143972 [details]
pam_conv fixing typo.

Ok tested with kerberos.
Comment 18 Jesus M. Rodriguez 2007-03-23 21:05:49 UTC 
Moving to ON_QA
Comment 19 wes hayutin 2007-03-26 19:11:07 UTC 
I probably need some assistance with PAM... 
I keep getting 

Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]: authentication failure;
logname= uid=91 euid=91 tty= ruser= rhost=  user=testLogin
Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]:  ERROR 0:Permission denied
Comment 21 Jose Plans 2007-03-29 14:50:13 UTC 
[root@fjs-0-13 jpam-test]# export
CLASSPATH=/usr/share/ant/lib/ant-nodeps.jar:/usr/share/java/jpam.jar:/usr/src/redhat/SPECS:/usr/share/java/commons-logging.jar:`pwd`
[root@fjs-0-13 jpam-test]# date
Thu Mar 29 10:49:19 EDT 2007
[root@fjs-0-13 jpam-test]# java SimplePam
Loging start
LOGIN SUCCESSFULL
[root@fjs-0-13 jpam-test]# date
Thu Mar 29 10:49:28 EDT 2007
[root@fjs-0-13 jpam-test]# rpm -q jpam
jpam-0.4-9.rhel4
Comment 22 Jose Plans 2007-03-29 14:52:27 UTC 
Created attachment 151202 [details]
Test case
Comment 23 Jose Plans 2007-03-29 16:04:30 UTC 
Wes,
  Ok network authentication works perfectly - however you need to gain root or
cap_sys_admin priviledges to open/read /etc/shadow, hence you get EPERM.
  Checking the documentation it is said that the PAM authentication is meant to
be for networking db's such as LDAP, NIS, Kerberos.
Jose
Comment 25 wes hayutin 2007-04-10 13:22:47 UTC 
waiting for webqa to come back up.. I'd rather not bustificate our only working
sat on build 20
Comment 26 wes hayutin 2007-04-11 17:17:02 UTC 
pam and rhn are working together...
verified...
Comment 28 Jose Plans 2007-04-18 13:02:55 UTC 
Ok patch sent and committed upstream for JPam 1.0.
* http://jpam.sourceforge.net/changes-report.html#1.0
Jose
Comment 30 Brandon Perkins 2007-06-26 03:08:30 UTC 
Closed for Satellite 500 Release.
Comment 32 Clifford Perry 2009-02-19 16:37:37 UTC 
*** Bug 213358 has been marked as a duplicate of this bug. ***