This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 126345 - [has patch] pam_krb5 ignores "krb4_convert = false" when AFS is loaded
[has patch] pam_krb5 ignores "krb4_convert = false" when AFS is loaded
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-19 12:30 EDT by Matthew Miller
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version: 2.1.2-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-31 10:49:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
adds "ignore_afs" flag (2.23 KB, patch)
2004-06-30 11:48 EDT, Matthew Miller
no flags Details | Diff

  None (edit)
Description Matthew Miller 2004-06-19 12:30:57 EDT
We have some sort of problem with converting v5 creds to v4 ones here.
I haven't worried about it too much, because we don't really need
them, or at least care about getting them at login. So, I have
"krb4_convert = false".

The AFS code in pam_krb5 seems to ignore this setting entirely -- if
AFS is detected, it tries for 50 seconds before timing out.

With Red Hat Linux 9, I worked around this by simply using pam_krb5
instead of pam_krb5afs. But now, these aren't separate binaries, and
there appears to be no way to disable AFS. I don't actually *need* the
pam module to be messing with AFS, and would like to tell it to stop.

Obviously, it'd be nice to get the actual problem we have with v4
conversion fixed. But additionally, the pam_krb5 module ought to do
what it is told.
Comment 1 Matthew Miller 2004-06-30 11:48:19 EDT
Created attachment 101538 [details]
adds "ignore_afs" flag

This patch adds an "ignore_afs" flag. If that is set to true in /etc/krb5.conf,
the PAM module skips its AFS detection routines and doesn't reenable
krb4_convert or attempt to get AFS credentials.
Comment 2 Matthew Miller 2004-06-30 11:50:44 EDT
I checked with the people who run the AFS and kerberos servers here,
and basically, our 5 and 4 servers are entirely separate, and so
5-to-4 just doesn't work. AFS tokens should be obtained separately.
That may change in the future, but certainly not the near future.

Please add the 'ignore_afs' functionality -- otherwise, we're really
crippled. Thanks!
Comment 3 Nalin Dahyabhai 2004-08-31 10:49:30 EDT
Merging into 2.1.2.  Thanks!

Note You need to log in before you can comment on or make changes to this bug.