Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1029374

Summary: kerberos tickets are not refreshed when the screen is unlocked via vlock or gnome screensaver
Product: Red Hat Enterprise Linux 7 Reporter: Patrik Kis <pkis>
Component: pam_krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Patrik Kis <pkis>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.0CC: dpal, pkis
Target Milestone: rcKeywords: Tracking
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-26 11:36:09 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1032140, 1032154    
Bug Blocks:    

Description Patrik Kis 2013-11-12 09:59:33 UTC 
Description of problem:
The credentials validity time is not refreshed via pam_krb5 when the screen is locked via vlock or gnome screensaver.

Version-Release number of selected component (if applicable):
krb5-libs-1.11.3-31.el7
pam_krb5-2.4.8-1.el7
kbd-1.15.5-7.el7

How reproducible:
always

Steps to Reproduce:
# cat /etc/krb5.conf 
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 default_realm = ZMRAZ.COM
 dns_lookup_realm = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true
 rdns = false
 default_ccache_name = KEYRING:persistent:%{uid}

[realms]
 ZMRAZ.COM = {
  kdc = rhel7.pkis.net
  admin_server = rhel7.pkis.net
 }

[domain_realm]
 .pkis.net = ZMRAZ.COM
 pkis.net = ZMRAZ.COM
#
# authconfig --test |grep pam_krb5
pam_krb5 is enabled
0 [root@rhel7 tmp.NlNgHyvhTG ]# authconfig --test |grep krb5
pam_krb5 is enabled
 krb5 realm = "ZMRAZ.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "rhel7.pkis.net"
 krb5 kdc via dns is disabled
 krb5 admin server = "rhel7.pkis.net"
#
# ssh alice.net 
alice.net's password: 
Last login: Tue Nov 12 10:41:12 2013 from rhel7.pkis.net
[alice@rhel7 ~]$ 
[alice@rhel7 ~]$ klist 
Ticket cache: KEYRING:persistent:1001:krb_ccache_HWd1Sdb
Default principal: alice

Valid starting       Expires              Service principal
11/12/2013 10:48:36  11/13/2013 10:48:36  krbtgt/ZMRAZ.COM
	renew until 11/12/2013 10:48:36
[alice@rhel7 ~]$ 
[alice@rhel7 ~]$ date
Tue Nov 12 10:49:10 CET 2013
[alice@rhel7 ~]$ vlock 
This tty (pts/2) is not a virtual console.


The pts/2 is now locked by alice.
Password: 
[alice@rhel7 ~]$ date
Tue Nov 12 10:49:21 CET 2013
[alice@rhel7 ~]$ klist 
Ticket cache: KEYRING:persistent:1001:krb_ccache_HWd1Sdb
Default principal: alice

Valid starting       Expires              Service principal
11/12/2013 10:48:36  11/13/2013 10:48:36  krbtgt/ZMRAZ.COM
	renew until 11/12/2013 10:48:36
[alice@rhel7 ~]$ 

NOTE: If alice password was required the kerberos principal password was entered.
NOTE: The results are the same also with other credential cache types, like DIR or FILE.
NOTE: The gnome screen saver also does not refresh the tickets validity time.

Actual results:
The tickets validity are not refreshed.

Expected results:
Like on RHEL-6.
[root@rhel6 ~]# ssh pkis.net
pkis.net's password: 
Last login: Tue Nov 12 10:22:04 2013 from rhel6.pkis.net
[pkis@rhel6 ~]$ klist 
Ticket cache: FILE:/tmp/krb5cc_500_9CXEhJ
Default principal: pkis

Valid starting     Expires            Service principal
11/12/13 10:54:20  11/13/13 10:54:20  krbtgt/EXAMPLE.COM
	renew until 11/12/13 10:54:20
[pkis@rhel6 ~]$ date
Tue Nov 12 10:54:24 CET 2013
[pkis@rhel6 ~]$ vlock
 *** This tty is not a VC (virtual console). ***
 *** It may not be securely locked. ***

This TTY is now locked.
Please enter the password to unlock.
pkis's Password: 
[pkis@rhel6 ~]$ date
Tue Nov 12 10:54:44 CET 2013
[pkis@rhel6 ~]$ klist 
Ticket cache: FILE:/tmp/krb5cc_500_9CXEhJ
Default principal: pkis

Valid starting     Expires            Service principal
11/12/13 10:54:41  11/13/13 10:54:41  krbtgt/EXAMPLE.COM
	renew until 11/12/13 10:54:41
[pkis@rhel6 ~]$
Comment 2 Nalin Dahyabhai 2013-11-12 20:53:40 UTC 
I'm not able to reproduce this - when I lock my screen in GNOME and then unlock it, klist shows that my cache has new credentials in it.  Can you add "debug" to the set of options passed to pam_krb5 when it's used for "auth" in /etc/pam.d/password-auth, run it again, and paste what it logs to /var/log/secure?
Comment 3 Patrik Kis 2013-11-13 08:35:05 UTC 
(In reply to Nalin Dahyabhai from comment #2)
> I'm not able to reproduce this - when I lock my screen in GNOME and then
> unlock it, klist shows that my cache has new credentials in it.  Can you add
> "debug" to the set of options passed to pam_krb5 when it's used for "auth"
> in /etc/pam.d/password-auth, run it again, and paste what it logs to
> /var/log/secure?

Here is the debugging info (just for completeness, I tested with vlock and it seems that for vlock the /etc/pam.d/system-auth is the right place to add the debug option).

This the debug for the initial login:

Nov 13 03:21:07 localhost unix_chkpwd[54044]: password check failed for user (alice)
Nov 13 03:21:07 localhost sshd[54042]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=intel-canoepass-12.lab.bos.redhat.com  user=alice
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: default/local realm 'ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: configured realm 'ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: debug
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: don't always_allow_localname
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no ignore_afs
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no null_afs
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no cred_session
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no ignore_k5login
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: user_check
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: will try previously set password first
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: will let libkrb5 ask questions
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: use_shmem
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: external
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no multiple_ccaches
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: validate
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: warn
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: banner: Kerberos 5
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: ccache dir: /tmp
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: ccname template: KEYRING:persistent:%{uid}
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: keytab: FILE:/etc/krb5.keytab
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: token strategy: 2b
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: called to authenticate 'alice', configured realm 'ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: authenticating 'alice'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: no value for "_pam_krb5_stash_alice_ZMRAZ.COM__1_shm" set, no credentials recovered from shared memory
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: checking for externally-obtained credentials
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: KRB5CCNAME is not set, none found
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: trying previously-entered password for 'alice', allowing libkrb5 to prompt for more
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: authenticating 'alice' to 'krbtgt/ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: krb5_get_init_creds_password(krbtgt/ZMRAZ.COM) returned 0 (Success)
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: validating credentials
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: TGT verified using key for 'host/intel-canoepass-12.lab.bos.redhat.com'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: got result 0 (Success)
Nov 13 03:21:07 localhost sshd[54045]: pam_krb5[54045]: no need to create "/tmp"
Nov 13 03:21:07 localhost sshd[54045]: pam_krb5[54045]: created ccache "FILE:/tmp/krb5cc_1001_bD5Qdy"
Nov 13 03:21:07 localhost sshd[54045]: pam_krb5[54045]: created ccache 'FILE:/tmp/krb5cc_1001_bD5Qdy' for 'alice'
Nov 13 03:21:07 localhost sshd[54045]: pam_krb5[54045]: krb5_kuserok() says "true" for ("alice","alice")
Nov 13 03:21:07 localhost sshd[54045]: pam_krb5[54045]: destroyed ccache "FILE:/tmp/krb5cc_1001_bD5Qdy"
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: 'alice' passes .k5login check for 'alice'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: saved credentials to shared memory segment 458752 (creator pid 54042)
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: set '_pam_krb5_stash_alice_ZMRAZ.COM__1_shm=458752/54042' in environment
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: authentication succeeds for 'alice' (alice)
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: pam_authenticate returning 0 (Success)
Nov 13 03:21:07 localhost sshd[54042]: Accepted password for alice from 10.16.42.153 port 50637 ssh2
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: default/local realm 'ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: configured realm 'ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: debug
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: don't always_allow_localname
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no ignore_afs
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no null_afs
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no cred_session
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no ignore_k5login
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: user_check
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: will try previously set password first
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: will let libkrb5 ask questions
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: use_shmem
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: external
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: no multiple_ccaches
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: validate
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: flag: warn
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: banner: Kerberos 5
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: ccache dir: /tmp
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: ccname template: KEYRING:persistent:%{uid}
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: keytab: FILE:/etc/krb5.keytab
Nov 13 03:21:07 localhost sshd[54042]: pam_krb5[54042]: token strategy: 2b
Nov 13 03:21:07 localhost sshd[54042]: pam_unix(sshd:session): session opened for user alice by (uid=0)
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: default/local realm 'ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: configured realm 'ZMRAZ.COM'
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: debug
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: don't always_allow_localname
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: no ignore_afs
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: no null_afs
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: no cred_session
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: no ignore_k5login
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: user_check
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: will try previously set password first
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: will let libkrb5 ask questions
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: use_shmem
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: external
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: no multiple_ccaches
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: validate
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: flag: warn
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: banner: Kerberos 5
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: ccache dir: /tmp
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: ccname template: KEYRING:persistent:%{uid}
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: keytab: FILE:/etc/krb5.keytab
Nov 13 03:21:07 localhost sshd[54050]: pam_krb5[54050]: token strategy: 2b



And this for terminal unlock via vlock:

Nov 13 03:21:26 localhost unix_chkpwd[54084]: password check failed for user (alice)
Nov 13 03:21:26 localhost vlock[54082]: pam_unix(vlock:auth): authentication failure; logname=alice uid=1001 euid=1001 tty=pts/2 ruser= rhost=  user=alice
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: default/local realm 'ZMRAZ.COM'
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: configured realm 'ZMRAZ.COM'
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: debug
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: don't always_allow_localname
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: no ignore_afs
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: no null_afs
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: cred_session
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: no ignore_k5login
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: user_check
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: will try previously set password first
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: will let libkrb5 ask questions
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: no use_shmem
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: no external
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: no multiple_ccaches
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: validate
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: flag: warn
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: banner: Kerberos 5
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: ccache dir: /tmp
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: ccname template: KEYRING:persistent:%{uid}
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: keytab: FILE:/etc/krb5.keytab
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: token strategy: 2b
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: called to authenticate 'alice', configured realm 'ZMRAZ.COM'
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: authenticating 'alice'
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: trying previously-entered password for 'alice', allowing libkrb5 to prompt for more
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: authenticating 'alice' to 'krbtgt/ZMRAZ.COM'
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: krb5_get_init_creds_password(krbtgt/ZMRAZ.COM) returned 0 (Success)
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: validating credentials
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: error reading keytab 'FILE:/etc/krb5.keytab'
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: TGT verified
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: got result 0 (Success)
Nov 13 03:21:26 localhost vlock[54085]: pam_krb5[54085]: no need to create "/tmp"
Nov 13 03:21:26 localhost vlock[54085]: pam_krb5[54085]: created ccache "FILE:/tmp/krb5cc_1001_VKRS2j"
Nov 13 03:21:26 localhost vlock[54085]: pam_krb5[54085]: created ccache 'FILE:/tmp/krb5cc_1001_VKRS2j' for 'alice'
Nov 13 03:21:26 localhost vlock[54085]: pam_krb5[54085]: krb5_kuserok() says "true" for ("alice","alice")
Nov 13 03:21:26 localhost vlock[54085]: pam_krb5[54085]: destroyed ccache "FILE:/tmp/krb5cc_1001_VKRS2j"
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: 'alice' passes .k5login check for 'alice'
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: authentication succeeds for 'alice' (alice)
Nov 13 03:21:26 localhost vlock[54082]: pam_krb5[54082]: pam_authenticate returning 0 (Success)

The credential validity was not refreshed again, despite the fact that I can see the new AS-REQ and AS-REP between kdc and client.
Comment 4 Patrik Kis 2013-11-13 09:18:42 UTC 
Via gnome the ticket is refreshed; I probably missed something yesterday. So the issue is in vlock then.
Comment 5 Nalin Dahyabhai 2013-11-13 18:46:11 UTC 
Do you have the debug log for a screen unlock?  It's important that the application calls pam_setcred() with the PAM_REINITIALIZE_CRED flag in the unlock case, to update creds the user already has, rather than the PAM_ESTABLISH_CRED, which would normally create new creds (pam_krb5's debug notices include that information).

If it's the latter case, then things appear to work because the module is creating new creds in the same location where they were previously stored, but that doesn't mean other modules won't experience problems.
Comment 6 Patrik Kis 2013-11-14 13:55:36 UTC 
(In reply to Nalin Dahyabhai from comment #5)
> Do you have the debug log for a screen unlock?

https://bugzilla.redhat.com/show_bug.cgi?id=1029374#c3
Are these logs or should I create a new one?
Comment 7 Nalin Dahyabhai 2013-11-14 14:00:31 UTC 
I see logs from sshd and vlock, but not a GUI screen lock like gnome-screensaver (or gdm, as I think gnome-shell hands the authentication work off to it).
Comment 8 Patrik Kis 2013-11-14 14:35:41 UTC 
Sorry, here are the logs from GUI unlock that refresh the tickets (or seems so).

Nov 14 15:33:10 rhel72 unix_chkpwd[2742]: password check failed for user (alice)
Nov 14 15:33:10 rhel72 gdm-password]: pam_unix(gdm-password:auth): authentication failure; logname=alice uid=0 euid=0 tty=:0 ruser= rhost=  user=alice
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: default/local realm 'EXAMPLE.COM'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: configured realm 'EXAMPLE.COM'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: debug
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: don't always_allow_localname
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no ignore_afs
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no null_afs
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: cred_session
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no ignore_k5login
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: user_check
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: will try previously set password first
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: will let libkrb5 ask questions
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no use_shmem
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no external
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no multiple_ccaches
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: validate
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: warn
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: banner: Kerberos 5
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: ccache dir: /tmp
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: ccname template: KEYRING:persistent:%{uid}
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: keytab: FILE:/etc/krb5.keytab
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: token strategy: 2b
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: called to authenticate 'alice', configured realm 'EXAMPLE.COM'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: authenticating 'alice'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: trying previously-entered password for 'alice', allowing libkrb5 to prompt for more
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: authenticating 'alice' to 'krbtgt/EXAMPLE.COM'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM) returned 0 (Success)
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: validating credentials
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: error reading keytab 'FILE:/etc/krb5.keytab'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: TGT verified
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: got result 0 (Success)
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2743]: no need to create "/tmp"
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2743]: created ccache "FILE:/tmp/krb5cc_1001_PP6eog"
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2743]: created ccache 'FILE:/tmp/krb5cc_1001_PP6eog' for 'alice'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2743]: krb5_kuserok() says "true" for ("alice","alice")
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2743]: destroyed ccache "FILE:/tmp/krb5cc_1001_PP6eog"
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: 'alice' passes .k5login check for 'alice'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: authentication succeeds for 'alice' (alice)
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: pam_authenticate returning 0 (Success)
Nov 14 15:33:10 rhel72 gdm-password]: gkr-pam: unlocked login keyring
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: default/local realm 'EXAMPLE.COM'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: configured realm 'EXAMPLE.COM'
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: debug
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: don't always_allow_localname
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no ignore_afs
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no null_afs
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: cred_session
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no ignore_k5login
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: user_check
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: will try previously set password first
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: will let libkrb5 ask questions
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no use_shmem
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no external
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: no multiple_ccaches
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: validate
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: flag: warn
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: banner: Kerberos 5
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: ccache dir: /tmp
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: ccname template: KEYRING:persistent:%{uid}
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: keytab: FILE:/etc/krb5.keytab
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: token strategy: 2b
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: creating ccache for 'alice', uid=1001, gid=1001
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: created ccache "KEYRING:persistent:1001"
Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]: pam_setcred(PAM_ESTABLISH_CRED) returning 0 (Success)
Comment 9 Nalin Dahyabhai 2013-11-14 14:56:37 UTC 
(In reply to Patrik Kis from comment #8)
> Nov 14 15:33:10 rhel72 gdm-password]: pam_krb5[2735]:
> pam_setcred(PAM_ESTABLISH_CRED) returning 0 (Success)

Yeah, that's a problem.  That's the "create new creds" flag, rather than the flag for "refresh existing creds" (PAM_REINITIALIZE_CRED).

Related, but likely a different bug if it's not working: if ssh is using GSSAPI for key exchange, and you're using credential delegation (so GSSAPIAuthentication, GSSAPIKeyExchange, and GSSAPIStoreCredentialsOnRekey are enabled at the server, and the client is using GSSAPIAuthentication, GSSAPIKeyExchange, GSSAPIDelegateCredentials, and GSSAPIRenewalForcesRekey), when you run 'kinit' at the client, your new creds should be re-delegated to the server, so 'klist' there should list new creds.

When using PAM, at that point the server should also be calling pam_setcred() to signal modules in the "sshd-rekey" configuration to reinitialize creds, for the sake of any which will make use of those newly-delegated creds.
Comment 10 Nalin Dahyabhai 2013-12-05 22:08:19 UTC 
I expect this is going to serve merely as a tracking bug for the vlock and gdm bugs on which it depends, since we've verified that the module behaves as expected when the application makes the expected API calls.
Comment 11 Patrik Kis 2013-12-06 08:39:06 UTC 
(In reply to Nalin Dahyabhai from comment #10)
> I expect this is going to serve merely as a tracking bug for the vlock and
> gdm bugs on which it depends, since we've verified that the module behaves
> as expected when the application makes the expected API calls.

I fully agree; I think we should either close this bug or change it to tracker as it is not a regression on pam_krb5 as it initially looked like.
Comment 13 Ludek Smid 2014-06-26 11:36:09 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.