Red Hat Bugzilla – Full Text Bug Listing
|Summary:||cannot add the first user from kerberos due to "missing pam_krb5.so"|
|Product:||[Fedora] Fedora||Reporter:||Itamar Heim <iheim>|
|Component:||pam_krb5||Assignee:||Nalin Dahyabhai <nalin>|
|Status:||CLOSED WONTFIX||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||15||CC:||nalin, sgallagh, tmraz|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-08-07 13:27:46 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Itamar Heim 2011-10-03 08:41:29 EDT
Description of problem: 1. booted f15 from live cd 2. installed to disk 3. during install, was asked for first user - tried to configure a kerberos user 4. got an error of missing pam_krb5.so either support kerberos, or disable the option if pam_krb5.so is missing Version-Release number of selected component (if applicable): fedora 15 How reproducible: i only installed F15 once, but i assume fully. Steps to Reproduce: 1.try to setup the first user during F15 install as a kerberos user Actual results: Expected results: Additional info:
Comment 1 Tomas Mraz 2011-10-03 09:45:28 EDT
I'd say that pam_krb5 should be added to comps.xml (or wherever liveCD contents is defined) at appropriate place so it gets included on live CD installs. That is if the setting in Authconfig was: User Identity - Local, Authentication - Kerberos. The other option would be - if SSSD now allows creating domains with local user identity and kerberos authentication - to modify authconfig to use SSSD also in this case.
Comment 2 Stephen Gallagher 2011-10-03 09:56:33 EDT
Itamar, please describe in greater detail what you mean by "was asked for first user - tried to configure a kerberos user". We need to know how you tried setting this up. Did you go to "Configure network authentication"? Tomas, right now you can't select local users and kerberos auth at the same time in authconfig-gtk (which makes perfect sense, since it's not a very useful case). So I assume Itamar must have selected LDAP, FreeIPA or NIS. In the case of NIS, we *would* be deferring to pam_krb5.so (since SSSD doesn't currently support NIS for identity). Itamar, what "User Account Database" did you select? If it was FreeIPA, I wonder if authconfig isn't handling that properly. Also, please be aware that this isn't a FreeIPA v2 enrollment. This is compatibility with FreeIPA v1 (which v2 is backwards-compatible with). We're going to be adding a FreeIPA v2 enrollment feature in the future.
Comment 3 Itamar Heim 2011-10-03 11:24:31 EDT
OK - I tried to reproduce (took the time to install a new guest with F15). I could only reproduce this behaviour when checking the "use dns to resolve hosts to realms" (didn't get the kerberos login to work anyway, configured it later manually)
Comment 4 Stephen Gallagher 2011-10-03 11:30:58 EDT
Ah ok. The "use dns to resolve hosts to realms" option is not supported by SSSD at this time (in part because it's a big security vulnerability). So by setting that, authconfig would be falling back to configuring pam_krb5.so. So this is probably a bug in comps.xml. pam_krb5.so should probably be included in the default install.
Comment 5 Tomas Mraz 2011-10-03 12:37:10 EDT
I wonder whether we shouldn't drop this option from the authconfig GUI altogether and leave it only in the command line ui.
Comment 6 Fedora End Of Life 2012-08-07 13:27:48 EDT
This message is a notice that Fedora 15 is now at end of life. Fedora has stopped maintaining and issuing updates for Fedora 15. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At this time, all open bugs with a Fedora 'version' of '15' have been closed as WONTFIX. (Please note: Our normal process is to give advanced warning of this occurring, but we forgot to do that. A thousand apologies.) Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, feel free to reopen this bug and simply change the 'version' to a later Fedora version. Bug Reporter: Thank you for reporting this issue and we are sorry that we were unable to fix it before Fedora 15 reached end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged to click on "Clone This Bug" (top right of this page) and open it against that version of Fedora. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping