Bug 747015

Summary: Implementing PAM Authentication with kerberos needs to specify 'realm' within the /etc/pam.d/rhn-satellite
Product: Red Hat Satellite 5 Reporter: Ricky Nelson <rnelson>
Component: Docs Installation GuideAssignee: Lana Brindley <lbrindle>
Status: CLOSED DUPLICATE QA Contact: ecs-bugs
Severity: low Docs Contact:
Priority: low    
Version: 541CC: cperry, mhideo
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-26 00:50:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 715343    

Description Ricky Nelson 2011-10-18 15:12:15 UTC 
Description of problem:
When following '8.10 Implementing PAM Authentication' from the Satellite 5.4 installation guide the following example is given to show authentication against Kerberos:

==========
As an example, for a Red Hat Enterprise Linux 5 i386 system, to authenticate against Kerberos one could put the following in /etc/pam.d/rhn-satellite:

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_krb5.so no_user_check
auth        required      pam_deny.so
account     required      pam_krb5.so no_user_check
==========

However the above entries do not allow authentication against Kerberos to function. Authentication fails with a check against the 'EXAMPLE.COM' realm instead of what is specified within /etc/krb5.conf.

If you specify the 'realm' on the 'auth' and 'account' lines though, authentication is successful through the correct realm.

Version-Release number of selected component (if applicable):
5.4.1

How reproducible:
Follow the installation guide

Actual results:
When looking at /var/log/secure after an attempt to log in to the Satellite Web UI:

Oct 17 09:33:35 hostname IBM Java[4935]: pam_krb5[4935]: authentication fails for 'username' (username): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)


Expected results:
After specifying 'realm', within /var/log/secure:

Oct 18 16:33:47 hostname IBM Java[19225]: pam_krb5[19225]: TGT verified
Oct 18 16:33:47 hostname IBM Java[19225]: pam_krb5[19225]: authentication succeeds for 'username' (username@:YOUR.DOMAIN.COM)