Bug 538703

Summary: ksu doesn't work
Product: [Fedora] Fedora Reporter: Scott Schmit <i.grok>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: nalin, oliver
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: 1.7-10.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-12-04 19:00:03 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description Scott Schmit 2009-11-19 01:03:45 EST
Description of problem:
ksu doesn't work, even when (apparently) configured correctly (as compared to a Fedora 11 machine).

Version-Release number of selected component (if applicable):

How reproducible:
always, until workaround applied (see below)

Steps to Reproduce: (this is a minimalized case to allow for strace, the actual combination of source and destination user/principal doesn't really matter)
1. Fresh install
2. add realm / krb server config to /etc/krb5.conf
3. add host/<hostname> key to /etc/krb5.keytab
4. make sure that /etc/hosts is set in such a way that krb will pick up the right host principal
5. populate destination user .k5login with desired principal
6. as destination user: kinit as that principal
7. run ksu from the destination user to the destination user (feel free to adjust 5-7 to be more normal, I just ended with this to remove every variable I could think of)

Actual results:
ksu says everything is ok (authentication/authorization successful), then reports that access is denied and refuses to switch user.
/var/log/messages, /var/log/secure, /var/log/krb5kdc.log (on krb server) all report that ksu/kerberos authenticated/authorized the user successfully, no errors to report.

Expected results:
ksu changes your uid to the new user without error

Additional info:
It turns out that this is a problem in the PAM config: if I symlink su to ksu, ksu works. However, looking at my setup on an F11 box, this file doesn't exist, so it apparently wasn't required. Quite surprising and non-intuitive. I don't see anything in the RPM changelog to indicate that breaking ksu was deliberate (and I certainly hope it wasn't), so I'm pretty sure this is a bug. I imagine that either the symlink (or equivalent) needs to be added, or whatever other change that caused this should be reverted.
Comment 1 Nalin Dahyabhai 2009-11-20 10:54:22 EST
You're correct.  When I pulled up the patch to add PAM account and session management to ksu, I must have forgotten to add the PAM configuration.
Comment 2 Nalin Dahyabhai 2009-11-20 10:56:28 EST
Or rather, the PAM config was put into the krb5-workstation-servers package along with the rest of the ones that were already provided, rather than in krb5-workstation with ksu itself.  Mistake either way.
Comment 3 Fedora Update System 2009-11-20 11:37:27 EST
krb5-1.7-10.fc12 has been submitted as an update for Fedora 12.
Comment 4 Fedora Update System 2009-11-24 02:59:28 EST
krb5-1.7-10.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update krb5'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12018
Comment 5 Fedora Update System 2009-12-04 18:59:59 EST
krb5-1.7-10.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.