Bug 751862

Summary:	SSO: Kerberos user logged in with a smartcard su to another user requests for current user smart card pin.
Product:	Red Hat Enterprise Linux 6	Reporter:	Asha Akkiangady <aakkiang>
Component:	pam_krb5	Assignee:	Nalin Dahyabhai <nalin>
Status:	CLOSED NOTABUG	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	6.2	CC:	aakkiang, dpal, jhrozek, jmagne, prc, rpattath
Target Milestone:	rc
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2015-10-28 19:30:14 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Asha Akkiangady 2011-11-07 20:21:34 UTC

Description of problem:
SSO: Kerberos user logged in with a smartcard su to another user requests for current user smart card pin.

Version-Release number of selected component (if applicable):
pam_krb5-2.3.11-9.el6.x86_64
pam_pkcs11-0.6.2-11.1.el6.x86_64

How reproducible:


Steps to Reproduce:
Desktop is configured to login with a smartcard and kerberos authentication.

1. A kerberos user logged into desktop with a smart card tries to su to another kerberos user (authentiction is configured with enforce smart card OFF or ON), system requests for a password, upon entering a correct kerberos password a smartcard pin is requested.

Configuration:

# cat /etc/pam.d/su-l
#%PAM-1.0
auth		include		su
account		include		su
password	include		su
session		optional	pam_keyinit.so force revoke
session		include		su

# cat /etc/pam.d/su
#%PAM-1.0
auth		sufficient	pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth		sufficient	pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth		required	pam_wheel.so use_uid
auth		include		system-auth
account		sufficient	pam_succeed_if.so uid = 0 use_uid quiet
account		include		system-auth
password	include		system-auth
session		include		system-auth
session		optional	pam_xauth.so

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so card_only
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

/var/log/messages when su to another kerberos user with a correct kerberos password and in-correct smartcard pin:

Nov  7 11:39:06 dhcp231-57 pcscd: winscard.c:362:SCardConnect() Card Not Inserted
Nov  7 11:39:06 dhcp231-57 pcscd: utils.c:146:StatSynchronize() Can't remove /var/run/pcscd.events/event.8492.16994374: No such file or directory
Nov  7 11:39:06 dhcp231-57 pcscd: utils.c:146:StatSynchronize() Can't remove /var/run/pcscd.events/event.8514.17038716: No such file or directory
Nov  7 11:39:06 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:06 dhcp231-57 pcscd: utils.c:146:StatSynchronize() Can't remove /var/run/pcscd.events/event.8492.16994374: No such file or directory
Nov  7 11:39:06 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:06 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:06 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:07 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:07 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:08 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:08 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:08 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:09 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:09 dhcp231-57 pcscd: winscard.c:362:SCardConnect() Card Not Inserted
Nov  7 11:39:16 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:16 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:18 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:19 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:20 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:22 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:23 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:24 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:25 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:27 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:28 dhcp231-57 pcscd: openct/proto-t1.c:487:t1_transceive() CT sent S-block with wtx=1
Nov  7 11:39:29 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:29 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:29 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
Nov  7 11:39:29 dhcp231-57 pcscd: ifdhandler.c:1091:IFDHTransmitToICC() usb:04e6/e001:libhal:/org/freedesktop/Hal/devices/usb_device_4e6_e001_21120612212405_if0 (lun: 10000)
  
Actual results:

Providing correct or in-correct pin lets the user to switch to new user's profile. 

This could be a configuration problem, DEV, please guide us how to set up the correct configuration.

Expected results:

Should not request a smart card pin when correct kerberos password is entered.

Comment 2 Nalin Dahyabhai 2011-11-07 21:10:06 UTC

Some line numbers to make things easier to reference:

 1 auth required      pam_env.so
 2 auth [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
 3 auth [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so card_only
 4 auth optional      pam_krb5.so use_first_pass no_subsequent_prompt
 5 auth sufficient    pam_permit.so
 6 auth sufficient    pam_fprintd.so
 7 auth sufficient    pam_unix.so nullok try_first_pass
 8 auth requisite     pam_succeed_if.so uid >= 500 quiet
 9 auth sufficient    pam_krb5.so use_first_pass
10 auth required      pam_deny.so

Because the service name is "su" or "su-l", pam_succeed_if on line 2 succeeds and we jump to line 6.
On line 6, I assume pam_fprintd fails.
On line 7, pam_unix prompts for the password, authentication fails.  Is this logged to /var/log/secure?
On line 8, pam_succeed_if succeeds, so execution continues.
On line 9, the KDC offers PKINIT preauthentication, so pam_krb5 prompts for the PIN.

If pam_krb5 is not supposed to be prompting for a PIN, the no_subsequent_prompt option will cause it to suppress the PIN prompts and fall back to using password-based authentication if the KDC offers it, and if I'm reading things right, that's the behavior that's wanted here.

Comment 3 Asha Akkiangady 2011-11-08 15:46:56 UTC

here is /var/log/secure messages:

Nov  8 10:45:55 dhcp231-57 su: pam_unix(su-l:auth): authentication failure; logname=usernonhome uid=511 euid=0 tty=pts/0 ruser=usernonhome rhost=  user=kdcuser
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: debug
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flags: forwardable
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: no ignore_afs
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: no null_afs
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: cred_session
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: user_check
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: no krb4_convert
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: krb4_convert_524
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: krb4_use_as_req
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: will try previously set password first
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: will let libkrb5 ask questions
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: no use_shmem
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: no external
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: multiple_ccaches
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: validate
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: flag: warn
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: ticket lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: renewable lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: banner: Kerberos 5
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: ccache dir: /tmp
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: keytab: FILE:/etc/krb5.keytab
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: token strategy: v4,524,2b,rxk5
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: called to authenticate 'kdcuser', realm 'DSDEV.SJC.REDHAT.COM'
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: authenticating 'kdcuser.REDHAT.COM'
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: trying previously-entered password for 'kdcuser', allowing libkrb5 to prompt for more
Nov  8 10:45:55 dhcp231-57 su: pam_krb5[5724]: authenticating 'kdcuser.REDHAT.COM' to 'krbtgt/DSDEV.SJC.REDHAT.COM.REDHAT.COM'
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: krb5_get_init_creds_password(krbtgt/DSDEV.SJC.REDHAT.COM.REDHAT.COM) returned 0 (Success)
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: validating credentials
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: error reading keytab 'FILE:/etc/krb5.keytab'
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: TGT verified
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: got result 0 (Success)
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5728]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0' for internal use
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5728]: copied credentials from "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0" to "FILE:/tmp/krb5cc_512_3diKWP" for the user, destroying "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0"
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5728]: created v5 ccache 'FILE:/tmp/krb5cc_512_B4NebZ' for 'kdcuser'
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5728]: krb5_kuserok() says 1
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5728]: removing ccache 'FILE:/tmp/krb5cc_512_B4NebZ'
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5728]: destroyed ccache 'FILE:/tmp/krb5cc_512_B4NebZ'
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: 'kdcuser.REDHAT.COM' passes .k5login check for 'kdcuser'
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: authentication succeeds for 'kdcuser' (kdcuser.REDHAT.COM)
Nov  8 10:46:13 dhcp231-57 su: pam_krb5[5724]: pam_authenticate returning 0 (Success)
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: debug
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flags: forwardable
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: no ignore_afs
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: no null_afs
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: cred_session
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: user_check
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: no krb4_convert
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: krb4_convert_524
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: krb4_use_as_req
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: will try previously set password first
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: will ask for a password if that fails
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: will let libkrb5 ask questions
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: no use_shmem
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: no external
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: multiple_ccaches
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: validate
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: flag: warn
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: ticket lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: renewable lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: banner: Kerberos 5
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: ccache dir: /tmp
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: keytab: FILE:/etc/krb5.keytab
Nov  8 10:46:14 dhcp231-57 su: pam_krb5[5724]: token strategy: v4,524,2b,rxk5
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5724]: account management succeeds for 'kdcuser'
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5731]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0' for internal use
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5731]: copied credentials from "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0" to "FILE:/tmp/krb5cc_512_HMj9et" for the user, destroying "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0"
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5731]: created v5 ccache 'FILE:/tmp/krb5cc_512_GeYJgx' for 'kdcuser'
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5731]: krb5_kuserok() says 1
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5731]: removing ccache 'FILE:/tmp/krb5cc_512_GeYJgx'
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5731]: destroyed ccache 'FILE:/tmp/krb5cc_512_GeYJgx'
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5724]: 'kdcuser.REDHAT.COM' passes .k5login check for 'kdcuser'
Nov  8 10:46:15 dhcp231-57 su: pam_krb5[5724]: pam_acct_mgmt returning 0 (Success)
Nov  8 10:46:16 dhcp231-57 su: pam_unix(su-l:session): session opened for user kdcuser by usernonhome(uid=511)
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: debug
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flags: forwardable
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no ignore_afs
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no null_afs
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: cred_session
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: user_check
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no krb4_convert
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: krb4_convert_524
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: krb4_use_as_req
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: will try previously set password first
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: will ask for a password if that fails
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: will let libkrb5 ask questions
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no use_shmem
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no external
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: multiple_ccaches
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: validate
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: warn
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: ticket lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: renewable lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: banner: Kerberos 5
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: ccache dir: /tmp
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: keytab: FILE:/etc/krb5.keytab
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: token strategy: v4,524,2b,rxk5
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: creating v5 ccache for 'kdcuser', uid=512, gid=500
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0' for internal use
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: copied credentials from "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0" to "FILE:/tmp/krb5cc_512_oe4s5y" for the user, destroying "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-0"
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: created v5 ccache 'FILE:/tmp/krb5cc_512_y43yuF' for 'kdcuser'
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: pam_sm_open_session returning 0 (Success)
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: debug
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flags: forwardable
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no ignore_afs
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no null_afs
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: cred_session
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: user_check
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no krb4_convert
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: krb4_convert_524
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: krb4_use_as_req
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: will try previously set password first
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: will let libkrb5 ask questions
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no use_shmem
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: no external
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: multiple_ccaches
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: validate
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: flag: warn
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: ticket lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: renewable lifetime: 86400s (1d,0h,0m,0s)
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: banner: Kerberos 5
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: ccache dir: /tmp
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: ccname template: FILE:%d/krb5cc_%U_XXXXXX
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: keytab: FILE:/etc/krb5.keytab
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: token strategy: v4,524,2b,rxk5
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: creating v5 ccache for 'kdcuser', uid=512, gid=500
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: saving v5 credentials to 'MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-1' for internal use
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: copied credentials from "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-1" to "FILE:/tmp/krb5cc_512_p17vG7" for the user, destroying "MEMORY:_pam_krb5_tmp_s_kdcuser.REDHAT.COM-1"
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: created v5 ccache 'FILE:/tmp/krb5cc_512_ZlsIav' for 'kdcuser'
Nov  8 10:46:16 dhcp231-57 su: pam_krb5[5724]: pam_setcred(PAM_ESTABLISH_CRED) returning 0 (Success)

Comment 4 Nalin Dahyabhai 2011-11-08 17:18:26 UTC

Okay, so things appear to be working as the configuration sets them up to work...?

Comment 5 Asha Akkiangady 2011-11-08 19:09:44 UTC

/etc/pam.d/system-auth with following configuration does not prompt for a smart pin, correct kerberos password lets the user switch to a new user profile.

 1 auth required      pam_env.so
 2 auth [success=3 default=ignore] pam_succeed_if.so service notin
login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
 3 auth [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so
card_only
 4 auth optional      pam_krb5.so use_first_pass no_subsequent_prompt
 5 auth sufficient    pam_permit.so
 6 auth sufficient    pam_fprintd.so
 7 auth sufficient    pam_unix.so nullok try_first_pass
 8 auth requisite     pam_succeed_if.so uid >= 500 quiet
 9 auth sufficient    pam_krb5.so use_first_pass no_subsequent_prompt
10 auth required      pam_deny.so


Why not have "no_subsequent_prompt" in line 9 by default? it really does not care right or wrong smart card pin.

Comment 6 Nalin Dahyabhai 2011-11-08 19:20:36 UTC

If system-auth is intended to allow the calling application to use a smart card there, then that will prevent it from working in that way.  I'd suggest refraining from setting a 'pkinit_identities=...' value in /etc/krb5.conf, and passing it in as a 'preauth_options=X509_user_identity=...' option in cases where the PAM configuration is expected to use a smart card.

Comment 7 RHEL Program Management 2012-07-10 08:16:40 UTC

This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.

Comment 8 RHEL Program Management 2012-07-11 01:53:04 UTC

This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.

Comment 9 RHEL Program Management 2012-09-07 05:31:36 UTC

This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.

Comment 10 Karel Srot 2015-10-14 14:56:14 UTC

Is this still an issue?

Comment 11 Roshni 2015-10-28 19:30:14 UTC

Failed to reproduce the issue on RHEL 6.7, not using pkinit_identities anymore instead using X509_user_identity as explained in comment 6. Closing the bug.