Bug 110948 - expired passwords cause user login to be rejected after password update when using pam_krb5.so
expired passwords cause user login to be rejected after password update when ...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks: 116726
  Show dependency treegraph
 
Reported: 2003-11-25 15:03 EST by Neil Horman
Modified: 2007-11-30 17:06 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-05-11 22:23:11 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:207 normal SHIPPED_LIVE Updated pam_krb5 package available 2004-05-11 00:00:00 EDT

  None (edit)
Description Neil Horman 2003-11-25 15:03:21 EST
Description of problem:
When using a pam stack that includes pam_krb5.so as a required auth
mechanism and a sufficient password mechanism, a user logging in with
an expired password will be able to successfully update their
authentication, but then thier login session will be terminated with
an error indicating that pam_krb5 was unable to retrieve their
credential cache.

Version-Release number of selected component (if applicable):


How reproducible:
always

Steps to Reproduce:
1.create a system in which pam_krb5 is used as a pam
authentication/password mechanism
2.Add a user to the kerberos server, and expire their password
3.login to the console of the client machine, and update the password
when prompted
  
Actual results:
user session is terminated

Expected results:
user session should be established with valid credential cache

Additional info:
Comment 1 Nalin Dahyabhai 2004-01-20 09:35:01 EST
Support for password-changing at login-time needs fixing.
Comment 2 Nalin Dahyabhai 2004-05-07 18:37:51 EDT
This should be fixed in version 1.73, slated for U2, along with
various other corner cases turned up in testing.
Comment 3 John Flanagan 2004-05-11 22:23:11 EDT
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-207.html
Comment 4 Jason T Hardy 2004-12-22 14:25:10 EST
The errata does not address this issue. When an expired password is
changed sucsessfully, the new password fails to authenticate the user.
When an expired password fails the password change, the expired
password allows the user to authenticate.
Comment 5 G. Mayordomo 2005-09-02 04:24:22 EDT
  I am having a very similar problem. I am not sure, if it could be relationed
with the configuration of my pam modules.

  In pam_kerb-1.73 I get the following information in syslog:

Aug 25 10:13:36 dbclusterD02 login: pam_krb5: warn_period 604800
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: pam_sm_chauthtok() called
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: attempting to change password for
PRUEBA
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: PRUEBA prepared for password change
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: PRUEBA's Kerberos 5 password has
been changed
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: stash retrieved
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: pam_sm_chauthtok() returning 7
(Authentication failure)
Aug 25 10:13:36 dbclusterD02 login: Authentication failure  

With pam_krb5-1.73 the error is similar: 

Aug 25 10:13:36 dbclusterD02 login: pam_krb5: warn_period 604800
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: pam_sm_chauthtok() called
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: attempting to change password for
PRUEBA
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: PRUEBA prepared for password change
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: PRUEBA's Kerberos 5 password has
been changed
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: stash retrieved
Aug 25 10:13:36 dbclusterD02 login: pam_krb5: pam_sm_chauthtok() returning 4 
(System Error)
Aug 25 10:13:36 dbclusterD02 login: System error


  and the configuration of the login pam module is the following:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_securetty.so
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_krb5.so realm=KRB390.ATCA.ES debug
auth        sufficient    /lib/security/$ISA/pam_unix.so use_first_pass likeauth
nullok
auth        required      /lib/security/$ISA/pam_deny.so
auth        required      /lib/security/$ISA/pam_nologin.so


account     sufficient     /lib/security/$ISA/pam_krb5.so realm=KRB390.ATCA.ES debug
account     sufficient    /lib/security/$ISA/pam_localuser.so debug
account     sufficient    /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so debug



password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type= 
difok=1 minlen=6
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
realm=KRB390.ATCA.ES debug
 

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so debug
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_console.so




 
       
Comment 6 G. Mayordomo 2005-09-02 04:30:07 EDT
  I have read my previous post and I have seen an error. The secong log is from
the version pam_krb5.1.75. I have used both version and I get slightly different
errors but with very similar results: the password is correctly changed but the
session login is aborted. 

  Sorry

Note You need to log in before you can comment on or make changes to this bug.