Bug 79853
| Summary: | updated pam_krb5 does not allow logins on console. | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 3 | Reporter: | Stephen John Smoogen <smooge> |
| Component: | pam_krb5 | Assignee: | Nalin Dahyabhai <nalin> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 3.0 | ||
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2004-02-24 19:07:39 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
While I know no one seems to be reading these bug reports :)... I figured out what the problem is: authconfig puts in a line for /etc/pam.d/system-auth that does not seem to work in our Kerberos environment. account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so This central part is causing our root logins to fail and our current fix is to install a patched version that doesnt have this line in it. Hmm. Setting the module to "sufficient" has the same effect as removing the check completely (because a "required" module has already succeeded at that point, libpam will ignore the failure code returned by pam_krb5 if it is marked "sufficient"). Do your users have principals in Kerberos? What error messages are you getting from pam_krb5 when login fails? |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Mozilla 4.79; X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513 Description of problem: After applying all updates to a 7.3 and 8.0 machine we are not able to log into the virtual consoles other than X. All logins except root are compared against kerberos database using onetime keys from a cryptocard. Neither these nor root accounts seem to be able to login. After much head banging on my part, a co-worker made some changes to /etc/pam.d/system-auth and logins were allowed again. The line seems to be the following: account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so changing this to "required" allowed non-root accounts to log in, but not the root account. Making the final change to "sufficient" allowed for all accounts to log in via console. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. update machine to latest RPMS 2. run authconfig 3. watch people not login Additional info: While we have a workaround, we are not sure it is the best thing since it is breaking the 'way things were setup by Red Hat tools'.