Bug 371761
Summary: | credcache created for root, not user, when establishing credentials | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Thomas R. <redhat-bugs> | ||||||
Component: | pam_krb5 | Assignee: | Nalin Dahyabhai <nalin> | ||||||
Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | low | ||||||||
Version: | rawhide | ||||||||
Target Milestone: | --- | ||||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | 2.2.21 | Doc Type: | Bug Fix | ||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2007-11-09 22:27:15 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Attachments: |
|
Description
Thomas R.
2007-11-08 19:53:07 UTC
Created attachment 252021 [details]
relevant part of /var/log/messages, IPs/hostnames edited out
The "no_user_check" option is probably causing this -- with it, pam_krb5 just makes note of the current UID when it's called for the first time and uses that instead of looking up the user's UID. It probably makes sense for it to instead use the current UID at the time the file's being created instead, but if sshd isn't dropping its privileges before opening the PAM session or initializing the PAM credentials, it won't change the visible behavior. Can you run without "no_user_check"? Tricky. This is for a large number of hosts, and the KDC is a windows host, where I don't know how to mass add hosts and export keytabs. But if you just want to know if that indeed is causing our problem, I can test it for one host. The "no_user_check" option shouldn't make a difference there -- I think you're thinking of the "validate" option, which validates the user's credentials using a local keytab file ("no_user_check" inhibits calls to getpwnam(), which nss_ldap is servicing for you). But yes, if it works correctly with "no_user_check" turned off, I think that'll be the best thing to do. Ah, you're right, got it mixed up. Then it's even worse: the homes of the users are on AFS, and with user_check enabled, I get this in /var/log/messages: [...] Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: KRB5CCNAME is not set, none found Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: trying previously-entered passwor d for 'zxmoo46', allowing libkrb5 to prompt for more Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: authenticating 'zxmoo46 NI-TUEBINGEN.DE' to 'krbtgt/STUDENT.UNI-TUEBINGEN.DE.DE' Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: pkinit identity has no contents, ignoring Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: krb5_get_init_creds_password(krbt gt/STUDENT.UNI-TUEBINGEN.DE.DE) returned 0 (Success) Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: got result 0 (Success) Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: account checks fail for 'zxmoo46.DE': user disallowed by .k5login file for 'zxmoo46' Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: authentication fails for 'zxmoo46' (zxmoo46.DE): Permission denied (Success) Nov 8 22:30:23 sshd[11275]: pam_krb5[11275]: pam_authenticate returning 6 (Permission denied) Nov 8 22:30:26 sshd[11275]: debug1: PAM: password authentication failed for zxmoo46: Authentication failure [...] And with knowing that, if I read the man page, it actually says why I have this problem - it says it'll use the uid of the user run under with no_user_check, and it also states it expects .k5login to be readable :/. Sorry for not noticing. The thing is, no user has a .k5login, but local root may not enter /home/$ANYUSER. Do I really have to add acls for user:root to all home directories? I'd rather not. I'd be nice if I could just disable the .k5login check, or the establish credential pam phase (as session setup works fine if left alone). I'm very confused by this -- I keep my home directory in AFS specifically so that I can catch this stuff, and it's not supposed to fail like that. Is there any chance your user has a ~/.k5login.d directory? Heimdal supports that as well. Nope, I'm seeing this here now that I build with Heimdal, too. The Kerberos library is getting an EACCES error trying to read the user's .k5login file and returning a failure, because it doesn't know that the file doesn't exist. Created attachment 253501 [details]
patch for 2.2.20 which fetches tokens before calling krb5_kuserok()
Can you try adding the attached patch to 2.2.20? It should ensure that the
module has tokens for the user before attempting to call krb5_kuserok(), so
that the module will be able to correctly handle whether or not the user has a
.k5login file. If it's a success, I'll add it for 2.2.21.
Yes, this works indeed (without "no_user_check")! Log looks good, too. I assume this still has the side effect that users without homedir (or with the wrong ACLs on it) can't log in? Thanks for the fast response! I'd mark this as fixed, but your bugzie doesn't seem to work like that... :-) I haven't verified this, but that sounds like what would happen -- getting tokens prevents EACCES when the user's tokens are sufficient for access to the user's home directory, but if the ACLs are set to deny the user access anyway, I think that error would still occur. I'm going to roll that new release, and then close as resolved in Raw Hide. Thanks! |