RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1006191 - RFE: authconfig should be able to configure winbind authentication over krb5
Summary: RFE: authconfig should be able to configure winbind authentication over krb5
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
medium
Target Milestone: beta
: ---
Assignee: Tomas Mraz
QA Contact: David Spurek
URL:
Whiteboard:
Depends On: 1005422
Blocks: 991169
TreeView+ depends on / blocked
 
Reported: 2013-09-10 07:52 UTC by Andreas Schneider
Modified: 2015-03-02 05:28 UTC (History)
7 users (show)

Fixed In Version: authconfig-6.2.8-1.el7
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-06-13 11:22:26 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Andreas Schneider 2013-09-10 07:52:35 UTC 
Description of problem:

With the change of the default location of the KRB5 credential cache we have added KEYRING as a value for the option 'krb5_ccache_type' in the pam_winbind.conf file.

    krb5_ccache_type = KEYRING

As authconfig is setting or changing this variable we need to update it to reflect the change in the system default.
Comment 2 Tomas Mraz 2013-09-11 10:54:45 UTC 
Nope, authconfig does not change or set the krb5_ccache_type value in any way.
Also it does not touch pam_winbind.conf at all.

It writes winbind configuration to smb.conf.
Comment 3 Andreas Schneider 2013-09-11 11:40:13 UTC 
Really? Oh, cause for

authconfig --enablewinbindoffline

you need to set

  cached_login = yes

in /etc/security/pam_winbind.conf.

This needs probably to be fixed and we should add an option:

authconfig --enablewinbindkrb5

which sets in smb.conf:

  kerberos method = secrets and keytab

and in pam_winbind.conf:

  krb5_auth = yes
  krb5_ccache_type = KEYRING
Comment 4 Andreas Schneider 2013-09-13 07:31:07 UTC 
Should I create another bug for the cached login stuff or is one fine? Let me know if I could help or should review code.
Comment 5 Tomas Mraz 2013-09-13 09:57:01 UTC 
I think another bug for cached login would be good because the current way does not work.

And the --enablewinbindkrb5 is rather a feature.
Comment 6 Tomas Mraz 2013-10-30 14:53:05 UTC 
To avoid messing with another file could these options (krb5_auth and krb5_ccache_type) be set in the /etc/pam.d/system_auth as pam_winbind.so parameters?
Comment 7 Andreas Schneider 2013-10-31 10:52:43 UTC 
Yes, you can also pass then to the pam module.

pam_winbind.so krb5_auth=yes krb5_ccache_type=KEYRING
Comment 8 Tomas Mraz 2013-10-31 16:52:26 UTC 
I'd like to solve this by rebasing authconfig as I am doing the development upstream and there will be no changes unrelated to RHEL-7 development.
Comment 11 Ludek Smid 2014-06-13 11:22:26 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.
Note You need to log in before you can comment on or make changes to this bug.