Red Hat Bugzilla – Bug 1263745
Kerberos user access to sudo is failing
Last modified: 2016-12-16 09:55:42 EST
Description of problem: Kerberos user access to sudo is failing Version-Release number of selected component (if applicable): pam_krb5-2.4.8-4.el7 How reproducible: always Steps to Reproduce: 1. Login using smartcard that has a kerberos user 2. add the kerberos user to /etc/sudoers 3. sudo yum install thunderbird Actual results: sudo operation prompts for the password but then hangs Expected results: kerberos user password should be accepted and the installation should go through Additional info: /var/log/secure messages: Sep 15 11:15:40 dhcp129-45 sudo: pam_unix(sudo:auth): authentication failure; logname=kdcuser3 uid=1002 euid=0 tty=/dev/pts/0 ruser=kdcuser3 rhost= user=kdcuser3 Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: debug Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: don't always_allow_localname Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no ignore_afs Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no null_afs Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: cred_session Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no ignore_k5login Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: user_check Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: will try previously set password first Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: will let libkrb5 ask questions Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no use_shmem Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no external Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no multiple_ccaches Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: validate Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: warn Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: banner: Kerberos 5 Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: ccache dir: /tmp Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: ccname template: KEYRING:persistent:%{uid} Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: keytab: FILE:/etc/krb5.keytab Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: token strategy: 2b Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: called to authenticate 'kdcuser3', configured realm 'EXAMPLE.COM' Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: authenticating 'kdcuser3@EXAMPLE.COM' Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: trying previously-entered password for 'kdcuser3', allowing libkrb5 to prompt for more Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: authenticating 'kdcuser3@EXAMPLE.COM' to 'krbtgt/EXAMPLE.COM@EXAMPLE.COM' Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM@EXAMPLE.COM) returned 0 (Success) Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: validating credentials Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: error reading keytab 'FILE:/etc/krb5.keytab' Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: TGT verified Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: got result 0 (Success) Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: no need to create "/tmp" Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: created ccache "FILE:/tmp/krb5cc_1002_j58hKf" Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: created ccache 'FILE:/tmp/krb5cc_1002_j58hKf' for 'kdcuser3' [root@dhcp129-45 ~]# pstack 11769 #0 0x00007ff8c01bd980 in __read_nocancel () from /lib64/libc.so.6 #1 0x00007ff8c014c967 in __GI__IO_file_read () from /lib64/libc.so.6 #2 0x00007ff8c014d9b0 in __GI__IO_file_underflow () from /lib64/libc.so.6 #3 0x00007ff8c014e93e in __GI__IO_default_uflow () from /lib64/libc.so.6 #4 0x00007ff8c01428f4 in __GI__IO_getline_info () from /lib64/libc.so.6 #5 0x00007ff8c014ba6d in fgets_unlocked () from /lib64/libc.so.6 #6 0x00007ff8b9300912 in internal_getent () from /lib64/libnss_files.so.2 #7 0x00007ff8b9300cb1 in _nss_files_getpwnam_r () from /lib64/libnss_files.so.2 #8 0x00007ff8c019259d in getpwnam_r@@GLIBC_2.2.5 () from /lib64/libc.so.6 #9 0x00007ff8b5368e0f in userok_k5login () from /lib64/libkrb5.so.3 #10 0x00007ff8b5368aaa in krb5_kuserok () from /lib64/libkrb5.so.3 #11 0x00007ff8b4239ea5 in _pam_krb5_kuserok () from /usr/lib64/security/pam_krb5.so #12 0x00007ff8b4236098 in pam_sm_authenticate () from /usr/lib64/security/pam_krb5.so #13 0x00007ff8b8804f6a in _pam_dispatch () from /lib64/libpam.so.0 #14 0x00007ff8b8804830 in pam_authenticate () from /lib64/libpam.so.0 #15 0x00007ff8b8c9a622 in sudo_pam_verify () from /usr/libexec/sudoers.so #16 0x00007ff8b8c99d1d in verify_user () from /usr/libexec/sudoers.so #17 0x00007ff8b8c9bec6 in check_user () from /usr/libexec/sudoers.so #18 0x00007ff8b8ca59a5 in sudoers_policy_main () from /usr/libexec/sudoers.so #19 0x00007ff8b8ca6f38 in sudoers_policy_check () from /usr/libexec/sudoers.so #20 0x00007ff8c0f12572 in main () [root@dhcp129-45 ~]# strace -p 11769 Process 11769 attached read(3, pstack after installing debuginfo of glibc, pam_krb5, pam and sudo [root@dhcp129-45 ~]# pstack 11769 #0 0x00007ff8c01bd980 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:81 #1 0x00007ff8c014c967 in __GI__IO_file_read (fp=0x3, buf=0x7ff8c0f09000, size=4096) at fileops.c:1243 #2 0x00007ff8c014d9b0 in _IO_new_file_underflow (fp=0x7ff8c15ee090) at fileops.c:612 #3 0x00007ff8c014e93e in __GI__IO_default_uflow (fp=0x7ff8c15ee090) at genops.c:436 #4 0x00007ff8c01428f4 in __GI__IO_getline_info (fp=0x7ff8c15ee090, buf=0x7fffb1078030 "\360\237\a\261\377\177", n=8191, delim=10, extract_delim=1, eof=0x0) at iogetline.c:69 #5 0x00007ff8c014ba6d in __GI_fgets_unlocked (buf=0x7fffb1078030 "\360\237\a\261\377\177", n=-1057976320, n@entry=8192, fp=0x7ff8c15ee090) at iofgets_u.c:55 #6 0x00007ff8b9300912 in get_contents (stream=<optimized out>, len=8192, linebuf=0x7fffb1078030 "\360\237\a\261\377\177") at nss_files/files-XXX.c:202 #7 internal_getent (result=result@entry=0x7fffb1075f70, buffer=buffer@entry=0x7fffb1078030 "\360\237\a\261\377\177", buflen=buflen@entry=8192, errnop=errnop@entry=0x7ff8c0ef26a0) at nss_files/files-XXX.c:247 #8 0x00007ff8b9300cb1 in _nss_files_getpwnam_r (name=0x7ff8c15ee8e0 "kdcuser3", result=0x7fffb1075f70, buffer=0x7fffb1078030 "\360\237\a\261\377\177", buflen=8192, errnop=0x7ff8c0ef26a0) at nss_files/files-pwd.c:32 #9 0x00007ff8c019259d in __getpwnam_r (name=0x7ff8c15ee8e0 "kdcuser3", resbuf=0x7fffb1075f70, buffer=0x7fffb1078030 "\360\237\a\261\377\177", buflen=8192, result=0x7fffb1075f58) at ../nss/getXXbyYY_r.c:266 #10 0x00007ff8b5368e0f in userok_k5login () from /lib64/libkrb5.so.3 #11 0x00007ff8b5368aaa in krb5_kuserok () from /lib64/libkrb5.so.3 #12 0x00007ff8b4239ea5 in _pam_krb5_kuserok (ctx=0x7ff8c161eae0, stash=stash@entry=0x7ff8c161d0c0, options=options@entry=0x7ff8c16210f0, userinfo=userinfo@entry=0x7ff8c161e450, user=0x7ff8c15ee8e0 "kdcuser3", uid=<optimized out>, gid=1000) at kuserok.c:160 #13 0x00007ff8b4236098 in pam_sm_authenticate (pamh=0x7ff8c15ee740, flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at auth.c:383 #14 0x00007ff8b8804f6a in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=<optimized out>, flags=32768, pamh=0x7ff8c15ee740) at pam_dispatch.c:110 #15 _pam_dispatch (pamh=pamh@entry=0x7ff8c15ee740, flags=32768, choice=choice@entry=1) at pam_dispatch.c:426 #16 0x00007ff8b8804830 in pam_authenticate (pamh=0x7ff8c15ee740, flags=flags@entry=32768) at pam_auth.c:34 #17 0x00007ff8b8c9a622 in sudo_pam_verify (pw=<optimized out>, prompt=0x7ff8c15f7af0 "[sudo] password for kdcuser3: ", auth=<optimized out>) at auth/pam.c:136 #18 0x00007ff8b8c99d1d in verify_user (pw=pw@entry=0x7ff8c15f1198, prompt=prompt@entry=0x7ff8c15f7af0 "[sudo] password for kdcuser3: ", validated=validated@entry=96) at auth/sudo_auth.c:249 #19 0x00007ff8b8c9bec6 in check_user (validated=validated@entry=96, mode=<optimized out>) at ./check.c:176 #20 0x00007ff8b8ca59a5 in sudoers_policy_main (argc=argc@entry=3, argv=argv@entry=0x7fffb107cc90, pwflag=pwflag@entry=0, env_add=env_add@entry=0x7ff8c15e5680, command_infop=command_infop@entry=0x7fffb107ca30, argv_out=argv_out@entry=0x7fffb107ca38, user_env_out=user_env_out@entry=0x7fffb107ca40) at ./sudoers.c:466 #21 0x00007ff8b8ca6f38 in sudoers_policy_check (argc=3, argv=0x7fffb107cc90, env_add=0x7ff8c15e5680, command_infop=0x7fffb107ca30, argv_out=0x7fffb107ca38, user_env_out=0x7fffb107ca40) at ./sudoers.c:765 #22 0x00007ff8c0f12572 in policy_check (plugin=0x7ff8c112eac0 <policy_plugin>, user_env_out=0x7fffb107ca40, argv_out=0x7fffb107ca38, command_info=0x7fffb107ca30, env_add=0x7ff8c15e5680, argv=0x7fffb107cc90, argc=3) at ./sudo.c:1203 #23 main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffb107ccb0) at ./sudo.c:258
I tried to reproduce this issue on RHEL 7.1 and see the same issue. I am not sure if any changes to some other packages pam_krb5 is talking to introduced this issue because this test was passing during regression tests on RHEL 7.1 which was in December 2014.
Yes it does not work now on RHEL 7.1 but it did in the past
Yes, I will be able to verify the bug.
this looks like a duplicate https://bugzilla.redhat.com/show_bug.cgi?id=1202949
*** Bug 1202949 has been marked as a duplicate of this bug. ***
I am also seeing this issue when using krb5 authentication and using /etc/passwd for user information. However, as noted in related tickets (#1202949), it works for some users and not other users. I have traced it back to the following: if the password entry for the user is within the first 4096 characters of /etc/passwd, sudo succeeds, otherwise it fails. The workaround is to set either "ignore_k5login = true" in the krb5.conf or add ignore_k5login to the "auth sufficient pam_krb5.so use_first_pass" line in /etc/pam.d/system-auth
[root@dhcp129-54 ~]# rpm -qi pam_krb5 Name : pam_krb5 Version : 2.4.8 Release : 6.el7 Architecture: x86_64 Install Date: Mon 01 Aug 2016 01:00:43 PM EDT Group : System Environment/Base Size : 409674 License : BSD or LGPLv2+ Signature : RSA/SHA256, Wed 27 Jul 2016 11:33:50 AM EDT, Key ID 938a80caf21541eb Source RPM : pam_krb5-2.4.8-6.el7.src.rpm Build Date : Fri 19 Feb 2016 01:50:12 PM EST Build Host : x86-024.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://fedorahosted.org/pam_krb5/ Summary : A Pluggable Authentication Module for Kerberos 5 Verification steps: Logged in using smartcard with kerberos user sh-4.2$ sudo yum install thunderbird We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for kdcuser6: Loaded plugins: langpacks, product-id, search-disabled-repos, subscription- : manager This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register. Resolving Dependencies --> Running transaction check ---> Package thunderbird.x86_64 0:45.2-1.el7_2 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Installing: thunderbird x86_64 45.2-1.el7_2 RHEL73 64 M Transaction Summary ================================================================================ Install 1 Package Total download size: 64 M Installed size: 129 M Is this ok [y/d/N]: y Downloading packages: thunderbird-45.2-1.el7_2.x86_64.rpm | 64 MB 00:01 Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : thunderbird-45.2-1.el7_2.x86_64 1/1 Verifying : thunderbird-45.2-1.el7_2.x86_64 1/1 Installed: thunderbird.x86_64 0:45.2-1.el7_2 Complete!
*** Bug 1374041 has been marked as a duplicate of this bug. ***
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHBA-2016-2305.html