Bug 742938

Summary: cannot add the first user from kerberos due to "missing pam_krb5.so"
Product: [Fedora] Fedora Reporter: Itamar Heim <iheim>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 15CC: nalin, sgallagh, tmraz
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-07 13:27:46 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description Itamar Heim 2011-10-03 08:41:29 EDT
Description of problem:
1. booted f15 from live cd
2. installed to disk
3. during install, was asked for first user - tried to configure a kerberos user
4. got an error of missing pam_krb5.so

either support kerberos, or disable the option if pam_krb5.so is missing

Version-Release number of selected component (if applicable):
fedora 15

How reproducible:
i only installed F15 once, but i assume fully.

Steps to Reproduce:
1.try to setup the first user during F15 install as a kerberos user
  
Actual results:


Expected results:


Additional info:
Comment 1 Tomas Mraz 2011-10-03 09:45:28 EDT
I'd say that pam_krb5 should be added to comps.xml (or wherever liveCD contents is defined) at appropriate place so it gets included on live CD installs. That is if the setting in Authconfig was: User Identity - Local, Authentication - Kerberos.

The other option would be - if SSSD now allows creating domains with local user identity and kerberos authentication - to modify authconfig to use SSSD also in this case.
Comment 2 Stephen Gallagher 2011-10-03 09:56:33 EDT
Itamar, please describe in greater detail what you mean by "was asked for first user - tried to configure a kerberos user".

We need to know how you tried setting this up. Did you go to "Configure network authentication"?

Tomas, right now you can't select local users and kerberos auth at the same time in authconfig-gtk (which makes perfect sense, since it's not a very useful case). So I assume Itamar must have selected LDAP, FreeIPA or NIS. In the case of NIS, we *would* be deferring to pam_krb5.so (since SSSD doesn't currently support NIS for identity).

Itamar, what "User Account Database" did you select? If it was FreeIPA, I wonder if authconfig isn't handling that properly. Also, please be aware that this isn't a FreeIPA v2 enrollment. This is compatibility with FreeIPA v1 (which v2 is backwards-compatible with). We're going to be adding a FreeIPA v2 enrollment feature in the future.
Comment 3 Itamar Heim 2011-10-03 11:24:31 EDT
OK - I tried to reproduce (took the time to install a new guest with F15).
I could only reproduce this behaviour when checking the "use dns to resolve hosts to realms"
(didn't get the kerberos login to work anyway, configured it later manually)
Comment 4 Stephen Gallagher 2011-10-03 11:30:58 EDT
Ah ok. The "use dns to resolve hosts to realms" option is not supported by SSSD at this time (in part because it's a big security vulnerability). So by setting that, authconfig would be falling back to configuring pam_krb5.so.

So this is probably a bug in comps.xml. pam_krb5.so should probably be included in the default install.
Comment 5 Tomas Mraz 2011-10-03 12:37:10 EDT
I wonder whether we shouldn't drop this option from the authconfig GUI altogether and leave it only in the command line ui.
Comment 6 Fedora End Of Life 2012-08-07 13:27:48 EDT
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.

Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.

The process we are following is described here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping