Bug 1262083 - openssh single-sign-on from Windows clients to RHEL 6.4 doesn't carry Kerberos TGT
openssh single-sign-on from Windows clients to RHEL 6.4 doesn't carry Kerbero...
Status: CLOSED NOTABUG
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: fprintd (Show other bugs)
6.8
All Linux
unspecified Severity medium
: rc
: ---
Assigned To: Bastien Nocera
Desktop QE
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-09-10 14:58 EDT by Jeff
Modified: 2015-10-13 05:30 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-10-13 05:30:04 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff 2015-09-10 14:58:19 EDT
Description of problem:
pam_fprintd brings in an old pthread library which causes kerberos library failure in trying to obtain a mutex. when that fails, user kerberos cache cannot be created. 

pam_fprintd being in PAM configuration will be loaded. it brings in an older libpthread to resolve its symbol requirements. 

Kerberos library gss_krb5_copy_ccache() call by openssh now fails when it tries to call pthread_mutex_lock(). 

if pam_fprintd is loaded before an aditional authentication module , it loads its old pthread library which emits the same symbol, so our call winds up calling its mutex function which returns error. 

Version-Release number of selected component (if applicable):
RHEL 6.4  pam_fprintd module


removing the fprintd  module from pam stack allows this to function as expected.

How reproducible:

pam_fprintd being in PAM configuration will be loaded. it brings in an older libpthread to resolve its symbol requirements. 

Kerberos library gss_krb5_copy_ccache() call by openssh now fails when it tries to call pthread_mutex_lock(). 

Steps to Reproduce:
1. Standard RHEL 6 install
2. Add a kerberos Authentication module into Pam stack AFTER fprintd
3. SSH into the system using SSO and then check for existing TGT. It will not be present.

Actual results:
TGT is not present for use in additional authentication

Expected results:

TGT should be present for use in additional authentication
Additional info:
Comment 2 Bastien Nocera 2015-09-11 05:47:29 EDT
(In reply to Jeff from comment #0)
> Description of problem:
> pam_fprintd brings in an old pthread library which causes kerberos library
> failure in trying to obtain a mutex. when that fails, user kerberos cache
> cannot be created. 

pam_fprintd uses the system's libpthread, it doesn't have its own libpthread. So I don't really understand how you came to that conclusion.
Comment 3 Jeff 2015-10-12 14:52:15 EDT
The information given that the pam_fprintd uses the system's libpthread on RHEL 6.4 answers our question and we will inspect the problem systems libpthread.

Please consider this request closed at this time.

Note You need to log in before you can comment on or make changes to this bug.