1263745 – Kerberos user access to sudo is failing

Bug 1263745 - Kerberos user access to sudo is failing

Summary: Kerberos user access to sudo is failing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pam_krb5
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Stefan Kremen
Docs Contact:	Marc Muehlfeld
URL:	https://git.fedorahosted.org/cgit/pam...
Whiteboard:
Duplicates (2):	1202949 1374041 (view as bug list)
Depends On:
Blocks:	1203710 1313485 1292074 1296125
TreeView+	depends on / blocked

Reported:	2015-09-16 15:04 UTC by Roshni
Modified:	2019-12-16 04:56 UTC (History)
CC List:	18 users (show)
Fixed In Version:	pam_krb5-2.4.8-5.el7
Doc Type:	Bug Fix
Doc Text:	The "sudo" command now works correctly when using Kerberos with a smart card Previously, the pam_krb5 module closed to many file descriptors during fork operations. As a consequence, "sudo" commands for users authenticating using Kerberos and smart cards failed if the password entry was not found within the first 4096 characters of the `/etc/passwd` file. This bug has been fixed, libraries such as nsswitch can now use the file descriptors and "sudo" works correctly.
Clone Of:
Environment:
Last Closed:	2016-11-04 03:04:29 UTC
Target Upstream Version:

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2160141	None	None	None	2016-02-18 17:08:25 UTC
Red Hat Product Errata	RHBA-2016:2305	normal	SHIPPED_LIVE	pam_krb5 bug fix update	2016-11-03 13:40:06 UTC

Description Roshni 2015-09-16 15:04:22 UTC

Description of problem:
Kerberos user access to sudo is failing

Version-Release number of selected component (if applicable):
pam_krb5-2.4.8-4.el7

How reproducible:
always

Steps to Reproduce:
1. Login using smartcard that has a kerberos user
2. add the kerberos user to /etc/sudoers
3. sudo yum install thunderbird

Actual results:
sudo operation prompts for the password but then hangs

Expected results:
kerberos user password should be accepted and the installation should go through

Additional info:

/var/log/secure messages:

Sep 15 11:15:40 dhcp129-45 sudo: pam_unix(sudo:auth): authentication failure; logname=kdcuser3 uid=1002 euid=0 tty=/dev/pts/0 ruser=kdcuser3 rhost=  user=kdcuser3
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: debug
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: don't always_allow_localname
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no ignore_afs
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no null_afs
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: cred_session
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no ignore_k5login
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: user_check
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: will try previously set password first
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: will let libkrb5 ask questions
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no use_shmem
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no external
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no multiple_ccaches
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: validate
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: warn
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: banner: Kerberos 5
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: ccache dir: /tmp
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: ccname template: KEYRING:persistent:%{uid}
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: keytab: FILE:/etc/krb5.keytab
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: token strategy: 2b
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: called to authenticate 'kdcuser3', configured realm 'EXAMPLE.COM'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: authenticating 'kdcuser3@EXAMPLE.COM'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: trying previously-entered password for 'kdcuser3', allowing libkrb5 to prompt for more
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: authenticating 'kdcuser3@EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM@EXAMPLE.COM'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success)
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: validating credentials
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: error reading keytab 'FILE:/etc/krb5.keytab'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: TGT verified
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: got result 0 (Success)
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: no need to create "/tmp"
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: created ccache "FILE:/tmp/krb5cc_1002_j58hKf"
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: created ccache 'FILE:/tmp/krb5cc_1002_j58hKf' for 'kdcuser3'



[root@dhcp129-45 ~]# pstack 11769
#0  0x00007ff8c01bd980 in __read_nocancel () from /lib64/libc.so.6
#1  0x00007ff8c014c967 in __GI__IO_file_read () from /lib64/libc.so.6
#2  0x00007ff8c014d9b0 in __GI__IO_file_underflow () from /lib64/libc.so.6
#3  0x00007ff8c014e93e in __GI__IO_default_uflow () from /lib64/libc.so.6
#4  0x00007ff8c01428f4 in __GI__IO_getline_info () from /lib64/libc.so.6
#5  0x00007ff8c014ba6d in fgets_unlocked () from /lib64/libc.so.6
#6  0x00007ff8b9300912 in internal_getent () from /lib64/libnss_files.so.2
#7  0x00007ff8b9300cb1 in _nss_files_getpwnam_r () from /lib64/libnss_files.so.2
#8  0x00007ff8c019259d in getpwnam_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#9  0x00007ff8b5368e0f in userok_k5login () from /lib64/libkrb5.so.3
#10 0x00007ff8b5368aaa in krb5_kuserok () from /lib64/libkrb5.so.3
#11 0x00007ff8b4239ea5 in _pam_krb5_kuserok () from /usr/lib64/security/pam_krb5.so
#12 0x00007ff8b4236098 in pam_sm_authenticate () from /usr/lib64/security/pam_krb5.so
#13 0x00007ff8b8804f6a in _pam_dispatch () from /lib64/libpam.so.0
#14 0x00007ff8b8804830 in pam_authenticate () from /lib64/libpam.so.0
#15 0x00007ff8b8c9a622 in sudo_pam_verify () from /usr/libexec/sudoers.so
#16 0x00007ff8b8c99d1d in verify_user () from /usr/libexec/sudoers.so
#17 0x00007ff8b8c9bec6 in check_user () from /usr/libexec/sudoers.so
#18 0x00007ff8b8ca59a5 in sudoers_policy_main () from /usr/libexec/sudoers.so
#19 0x00007ff8b8ca6f38 in sudoers_policy_check () from /usr/libexec/sudoers.so
#20 0x00007ff8c0f12572 in main ()



[root@dhcp129-45 ~]# strace -p 11769
Process 11769 attached
read(3,


pstack after installing debuginfo of glibc, pam_krb5, pam and sudo

[root@dhcp129-45 ~]# pstack 11769
#0  0x00007ff8c01bd980 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ff8c014c967 in __GI__IO_file_read (fp=0x3, buf=0x7ff8c0f09000, size=4096) at fileops.c:1243
#2  0x00007ff8c014d9b0 in _IO_new_file_underflow (fp=0x7ff8c15ee090) at fileops.c:612
#3  0x00007ff8c014e93e in __GI__IO_default_uflow (fp=0x7ff8c15ee090) at genops.c:436
#4  0x00007ff8c01428f4 in __GI__IO_getline_info (fp=0x7ff8c15ee090, buf=0x7fffb1078030 "\360\237\a\261\377\177", n=8191, delim=10, extract_delim=1, eof=0x0) at iogetline.c:69
#5  0x00007ff8c014ba6d in __GI_fgets_unlocked (buf=0x7fffb1078030 "\360\237\a\261\377\177", n=-1057976320, n@entry=8192, fp=0x7ff8c15ee090) at iofgets_u.c:55
#6  0x00007ff8b9300912 in get_contents (stream=<optimized out>, len=8192, linebuf=0x7fffb1078030 "\360\237\a\261\377\177") at nss_files/files-XXX.c:202
#7  internal_getent (result=result@entry=0x7fffb1075f70, buffer=buffer@entry=0x7fffb1078030 "\360\237\a\261\377\177", buflen=buflen@entry=8192, errnop=errnop@entry=0x7ff8c0ef26a0) at nss_files/files-XXX.c:247
#8  0x00007ff8b9300cb1 in _nss_files_getpwnam_r (name=0x7ff8c15ee8e0 "kdcuser3", result=0x7fffb1075f70, buffer=0x7fffb1078030 "\360\237\a\261\377\177", buflen=8192, errnop=0x7ff8c0ef26a0) at nss_files/files-pwd.c:32
#9  0x00007ff8c019259d in __getpwnam_r (name=0x7ff8c15ee8e0 "kdcuser3", resbuf=0x7fffb1075f70, buffer=0x7fffb1078030 "\360\237\a\261\377\177", buflen=8192, result=0x7fffb1075f58) at ../nss/getXXbyYY_r.c:266
#10 0x00007ff8b5368e0f in userok_k5login () from /lib64/libkrb5.so.3
#11 0x00007ff8b5368aaa in krb5_kuserok () from /lib64/libkrb5.so.3
#12 0x00007ff8b4239ea5 in _pam_krb5_kuserok (ctx=0x7ff8c161eae0, stash=stash@entry=0x7ff8c161d0c0, options=options@entry=0x7ff8c16210f0, userinfo=userinfo@entry=0x7ff8c161e450, user=0x7ff8c15ee8e0 "kdcuser3", uid=<optimized out>, gid=1000) at kuserok.c:160
#13 0x00007ff8b4236098 in pam_sm_authenticate (pamh=0x7ff8c15ee740, flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at auth.c:383
#14 0x00007ff8b8804f6a in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=<optimized out>, flags=32768, pamh=0x7ff8c15ee740) at pam_dispatch.c:110
#15 _pam_dispatch (pamh=pamh@entry=0x7ff8c15ee740, flags=32768, choice=choice@entry=1) at pam_dispatch.c:426
#16 0x00007ff8b8804830 in pam_authenticate (pamh=0x7ff8c15ee740, flags=flags@entry=32768) at pam_auth.c:34
#17 0x00007ff8b8c9a622 in sudo_pam_verify (pw=<optimized out>, prompt=0x7ff8c15f7af0 "[sudo] password for kdcuser3: ", auth=<optimized out>) at auth/pam.c:136
#18 0x00007ff8b8c99d1d in verify_user (pw=pw@entry=0x7ff8c15f1198, prompt=prompt@entry=0x7ff8c15f7af0 "[sudo] password for kdcuser3: ", validated=validated@entry=96) at auth/sudo_auth.c:249
#19 0x00007ff8b8c9bec6 in check_user (validated=validated@entry=96, mode=<optimized out>) at ./check.c:176
#20 0x00007ff8b8ca59a5 in sudoers_policy_main (argc=argc@entry=3, argv=argv@entry=0x7fffb107cc90, pwflag=pwflag@entry=0, env_add=env_add@entry=0x7ff8c15e5680, command_infop=command_infop@entry=0x7fffb107ca30, argv_out=argv_out@entry=0x7fffb107ca38, user_env_out=user_env_out@entry=0x7fffb107ca40) at ./sudoers.c:466
#21 0x00007ff8b8ca6f38 in sudoers_policy_check (argc=3, argv=0x7fffb107cc90, env_add=0x7ff8c15e5680, command_infop=0x7fffb107ca30, argv_out=0x7fffb107ca38, user_env_out=0x7fffb107ca40) at ./sudoers.c:765
#22 0x00007ff8c0f12572 in policy_check (plugin=0x7ff8c112eac0 <policy_plugin>, user_env_out=0x7fffb107ca40, argv_out=0x7fffb107ca38, command_info=0x7fffb107ca30, env_add=0x7ff8c15e5680, argv=0x7fffb107cc90, argc=3) at ./sudo.c:1203
#23 main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffb107ccb0) at ./sudo.c:258

Comment 6 Roshni 2015-09-24 15:57:01 UTC

I tried to reproduce this issue on RHEL 7.1 and see the same issue. I am not sure if any changes to some other packages pam_krb5 is talking to introduced this issue because this test was passing during regression tests on RHEL 7.1 which was in December 2014.

Comment 8 Roshni 2015-09-24 17:33:31 UTC

Yes it does not work now on RHEL 7.1 but it did in the past

Comment 13 Roshni 2016-02-09 15:05:32 UTC

Yes, I will be able to verify the bug.

Comment 24 rick.beldin@hpe.com 2016-02-18 13:33:11 UTC

this looks like a duplicate https://bugzilla.redhat.com/show_bug.cgi?id=1202949

Comment 25 Robbie Harwood 2016-02-18 17:05:34 UTC

*** Bug 1202949 has been marked as a duplicate of this bug. ***

Comment 29 Need Real Name 2016-03-02 08:16:41 UTC

I am also seeing this issue when using krb5 authentication and using /etc/passwd for user information. However, as noted in related tickets (#1202949), it works for some users and not other users.
I have traced it back to the following:
if the password entry for the user is within the first 4096 characters of /etc/passwd, sudo succeeds, otherwise it fails.

The workaround is to set either "ignore_k5login = true" in the krb5.conf or add ignore_k5login to the "auth        sufficient    pam_krb5.so use_first_pass" line in /etc/pam.d/system-auth

Comment 34 Roshni 2016-08-19 19:05:37 UTC

[root@dhcp129-54 ~]# rpm -qi pam_krb5
Name        : pam_krb5
Version     : 2.4.8
Release     : 6.el7
Architecture: x86_64
Install Date: Mon 01 Aug 2016 01:00:43 PM EDT
Group       : System Environment/Base
Size        : 409674
License     : BSD or LGPLv2+
Signature   : RSA/SHA256, Wed 27 Jul 2016 11:33:50 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pam_krb5-2.4.8-6.el7.src.rpm
Build Date  : Fri 19 Feb 2016 01:50:12 PM EST
Build Host  : x86-024.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://fedorahosted.org/pam_krb5/
Summary     : A Pluggable Authentication Module for Kerberos 5

Verification steps:

Logged in using smartcard with kerberos user

sh-4.2$ sudo yum install thunderbird

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for kdcuser6: 
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
              : manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package thunderbird.x86_64 0:45.2-1.el7_2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch           Version                Repository      Size
================================================================================
Installing:
 thunderbird         x86_64         45.2-1.el7_2           RHEL73          64 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 64 M
Installed size: 129 M
Is this ok [y/d/N]: y
Downloading packages:
thunderbird-45.2-1.el7_2.x86_64.rpm                        |  64 MB   00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : thunderbird-45.2-1.el7_2.x86_64                              1/1 
  Verifying  : thunderbird-45.2-1.el7_2.x86_64                    1/1 

Installed:
  thunderbird.x86_64 0:45.2-1.el7_2                                   

Complete!

Comment 41 Robbie Harwood 2016-10-06 14:08:23 UTC

*** Bug 1374041 has been marked as a duplicate of this bug. ***

Comment 43 errata-xmlrpc 2016-11-04 03:04:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2305.html

Note You need to log in before you can comment on or make changes to this bug.