1263745 – Kerberos user access to sudo is failing

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1263745 - Kerberos user access to sudo is failing

Summary: Kerberos user access to sudo is failing

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	pam_krb5
Sub Component:
Version:	7.2
Hardware:	All
OS:	Linux
Priority:	urgent
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Robbie Harwood
QA Contact:	Stefan Kremen
Docs Contact:	Marc Muehlfeld
URL:	https://git.fedorahosted.org/cgit/pam...
Whiteboard:
Duplicates (2):	1202949 1374041 (view as bug list)
Depends On:
Blocks:	1203710 1292074 1296125 1313485
TreeView+	depends on / blocked

Reported:	2015-09-16 15:04 UTC by Roshni
Modified:	2019-12-16 04:56 UTC (History)
CC List:	18 users (show)
Fixed In Version:	pam_krb5-2.4.8-5.el7
Doc Type:	Bug Fix
Doc Text:	The "sudo" command now works correctly when using Kerberos with a smart card Previously, the pam_krb5 module closed to many file descriptors during fork operations. As a consequence, "sudo" commands for users authenticating using Kerberos and smart cards failed if the password entry was not found within the first 4096 characters of the `/etc/passwd` file. This bug has been fixed, libraries such as nsswitch can now use the file descriptors and "sudo" works correctly.
Clone Of:
Environment:
Last Closed:	2016-11-04 03:04:29 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Knowledge Base (Solution)	2160141	0	None	None	None	2016-02-18 17:08:25 UTC
Red Hat Product Errata	RHBA-2016:2305	0	normal	SHIPPED_LIVE	pam_krb5 bug fix update	2016-11-03 13:40:06 UTC

Description Roshni 2015-09-16 15:04:22 UTC

Description of problem:
Kerberos user access to sudo is failing

Version-Release number of selected component (if applicable):
pam_krb5-2.4.8-4.el7

How reproducible:
always

Steps to Reproduce:
1. Login using smartcard that has a kerberos user
2. add the kerberos user to /etc/sudoers
3. sudo yum install thunderbird

Actual results:
sudo operation prompts for the password but then hangs

Expected results:
kerberos user password should be accepted and the installation should go through

Additional info:

/var/log/secure messages:

Sep 15 11:15:40 dhcp129-45 sudo: pam_unix(sudo:auth): authentication failure; logname=kdcuser3 uid=1002 euid=0 tty=/dev/pts/0 ruser=kdcuser3 rhost=  user=kdcuser3
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: debug
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: don't always_allow_localname
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no ignore_afs
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no null_afs
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: cred_session
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no ignore_k5login
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: user_check
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: will try previously set password first
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: will let libkrb5 ask questions
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no use_shmem
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no external
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: no multiple_ccaches
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: validate
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: flag: warn
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: banner: Kerberos 5
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: ccache dir: /tmp
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: ccname template: KEYRING:persistent:%{uid}
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: keytab: FILE:/etc/krb5.keytab
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: token strategy: 2b
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: called to authenticate 'kdcuser3', configured realm 'EXAMPLE.COM'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: authenticating 'kdcuser3'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: trying previously-entered password for 'kdcuser3', allowing libkrb5 to prompt for more
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: authenticating 'kdcuser3' to 'krbtgt/EXAMPLE.COM'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM) returned 0 (Success)
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: validating credentials
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: error reading keytab 'FILE:/etc/krb5.keytab'
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: TGT verified
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7859]: got result 0 (Success)
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: no need to create "/tmp"
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: created ccache "FILE:/tmp/krb5cc_1002_j58hKf"
Sep 15 11:15:41 dhcp129-45 sudo: pam_krb5[7863]: created ccache 'FILE:/tmp/krb5cc_1002_j58hKf' for 'kdcuser3'



[root@dhcp129-45 ~]# pstack 11769
#0  0x00007ff8c01bd980 in __read_nocancel () from /lib64/libc.so.6
#1  0x00007ff8c014c967 in __GI__IO_file_read () from /lib64/libc.so.6
#2  0x00007ff8c014d9b0 in __GI__IO_file_underflow () from /lib64/libc.so.6
#3  0x00007ff8c014e93e in __GI__IO_default_uflow () from /lib64/libc.so.6
#4  0x00007ff8c01428f4 in __GI__IO_getline_info () from /lib64/libc.so.6
#5  0x00007ff8c014ba6d in fgets_unlocked () from /lib64/libc.so.6
#6  0x00007ff8b9300912 in internal_getent () from /lib64/libnss_files.so.2
#7  0x00007ff8b9300cb1 in _nss_files_getpwnam_r () from /lib64/libnss_files.so.2
#8  0x00007ff8c019259d in getpwnam_r@@GLIBC_2.2.5 () from /lib64/libc.so.6
#9  0x00007ff8b5368e0f in userok_k5login () from /lib64/libkrb5.so.3
#10 0x00007ff8b5368aaa in krb5_kuserok () from /lib64/libkrb5.so.3
#11 0x00007ff8b4239ea5 in _pam_krb5_kuserok () from /usr/lib64/security/pam_krb5.so
#12 0x00007ff8b4236098 in pam_sm_authenticate () from /usr/lib64/security/pam_krb5.so
#13 0x00007ff8b8804f6a in _pam_dispatch () from /lib64/libpam.so.0
#14 0x00007ff8b8804830 in pam_authenticate () from /lib64/libpam.so.0
#15 0x00007ff8b8c9a622 in sudo_pam_verify () from /usr/libexec/sudoers.so
#16 0x00007ff8b8c99d1d in verify_user () from /usr/libexec/sudoers.so
#17 0x00007ff8b8c9bec6 in check_user () from /usr/libexec/sudoers.so
#18 0x00007ff8b8ca59a5 in sudoers_policy_main () from /usr/libexec/sudoers.so
#19 0x00007ff8b8ca6f38 in sudoers_policy_check () from /usr/libexec/sudoers.so
#20 0x00007ff8c0f12572 in main ()



[root@dhcp129-45 ~]# strace -p 11769
Process 11769 attached
read(3,


pstack after installing debuginfo of glibc, pam_krb5, pam and sudo

[root@dhcp129-45 ~]# pstack 11769
#0  0x00007ff8c01bd980 in __read_nocancel () at ../sysdeps/unix/syscall-template.S:81
#1  0x00007ff8c014c967 in __GI__IO_file_read (fp=0x3, buf=0x7ff8c0f09000, size=4096) at fileops.c:1243
#2  0x00007ff8c014d9b0 in _IO_new_file_underflow (fp=0x7ff8c15ee090) at fileops.c:612
#3  0x00007ff8c014e93e in __GI__IO_default_uflow (fp=0x7ff8c15ee090) at genops.c:436
#4  0x00007ff8c01428f4 in __GI__IO_getline_info (fp=0x7ff8c15ee090, buf=0x7fffb1078030 "\360\237\a\261\377\177", n=8191, delim=10, extract_delim=1, eof=0x0) at iogetline.c:69
#5  0x00007ff8c014ba6d in __GI_fgets_unlocked (buf=0x7fffb1078030 "\360\237\a\261\377\177", n=-1057976320, n@entry=8192, fp=0x7ff8c15ee090) at iofgets_u.c:55
#6  0x00007ff8b9300912 in get_contents (stream=<optimized out>, len=8192, linebuf=0x7fffb1078030 "\360\237\a\261\377\177") at nss_files/files-XXX.c:202
#7  internal_getent (result=result@entry=0x7fffb1075f70, buffer=buffer@entry=0x7fffb1078030 "\360\237\a\261\377\177", buflen=buflen@entry=8192, errnop=errnop@entry=0x7ff8c0ef26a0) at nss_files/files-XXX.c:247
#8  0x00007ff8b9300cb1 in _nss_files_getpwnam_r (name=0x7ff8c15ee8e0 "kdcuser3", result=0x7fffb1075f70, buffer=0x7fffb1078030 "\360\237\a\261\377\177", buflen=8192, errnop=0x7ff8c0ef26a0) at nss_files/files-pwd.c:32
#9  0x00007ff8c019259d in __getpwnam_r (name=0x7ff8c15ee8e0 "kdcuser3", resbuf=0x7fffb1075f70, buffer=0x7fffb1078030 "\360\237\a\261\377\177", buflen=8192, result=0x7fffb1075f58) at ../nss/getXXbyYY_r.c:266
#10 0x00007ff8b5368e0f in userok_k5login () from /lib64/libkrb5.so.3
#11 0x00007ff8b5368aaa in krb5_kuserok () from /lib64/libkrb5.so.3
#12 0x00007ff8b4239ea5 in _pam_krb5_kuserok (ctx=0x7ff8c161eae0, stash=stash@entry=0x7ff8c161d0c0, options=options@entry=0x7ff8c16210f0, userinfo=userinfo@entry=0x7ff8c161e450, user=0x7ff8c15ee8e0 "kdcuser3", uid=<optimized out>, gid=1000) at kuserok.c:160
#13 0x00007ff8b4236098 in pam_sm_authenticate (pamh=0x7ff8c15ee740, flags=<optimized out>, argc=<optimized out>, argv=<optimized out>) at auth.c:383
#14 0x00007ff8b8804f6a in _pam_dispatch_aux (use_cached_chain=<optimized out>, resumed=<optimized out>, h=<optimized out>, flags=32768, pamh=0x7ff8c15ee740) at pam_dispatch.c:110
#15 _pam_dispatch (pamh=pamh@entry=0x7ff8c15ee740, flags=32768, choice=choice@entry=1) at pam_dispatch.c:426
#16 0x00007ff8b8804830 in pam_authenticate (pamh=0x7ff8c15ee740, flags=flags@entry=32768) at pam_auth.c:34
#17 0x00007ff8b8c9a622 in sudo_pam_verify (pw=<optimized out>, prompt=0x7ff8c15f7af0 "[sudo] password for kdcuser3: ", auth=<optimized out>) at auth/pam.c:136
#18 0x00007ff8b8c99d1d in verify_user (pw=pw@entry=0x7ff8c15f1198, prompt=prompt@entry=0x7ff8c15f7af0 "[sudo] password for kdcuser3: ", validated=validated@entry=96) at auth/sudo_auth.c:249
#19 0x00007ff8b8c9bec6 in check_user (validated=validated@entry=96, mode=<optimized out>) at ./check.c:176
#20 0x00007ff8b8ca59a5 in sudoers_policy_main (argc=argc@entry=3, argv=argv@entry=0x7fffb107cc90, pwflag=pwflag@entry=0, env_add=env_add@entry=0x7ff8c15e5680, command_infop=command_infop@entry=0x7fffb107ca30, argv_out=argv_out@entry=0x7fffb107ca38, user_env_out=user_env_out@entry=0x7fffb107ca40) at ./sudoers.c:466
#21 0x00007ff8b8ca6f38 in sudoers_policy_check (argc=3, argv=0x7fffb107cc90, env_add=0x7ff8c15e5680, command_infop=0x7fffb107ca30, argv_out=0x7fffb107ca38, user_env_out=0x7fffb107ca40) at ./sudoers.c:765
#22 0x00007ff8c0f12572 in policy_check (plugin=0x7ff8c112eac0 <policy_plugin>, user_env_out=0x7fffb107ca40, argv_out=0x7fffb107ca38, command_info=0x7fffb107ca30, env_add=0x7ff8c15e5680, argv=0x7fffb107cc90, argc=3) at ./sudo.c:1203
#23 main (argc=<optimized out>, argv=<optimized out>, envp=0x7fffb107ccb0) at ./sudo.c:258

Comment 6 Roshni 2015-09-24 15:57:01 UTC

I tried to reproduce this issue on RHEL 7.1 and see the same issue. I am not sure if any changes to some other packages pam_krb5 is talking to introduced this issue because this test was passing during regression tests on RHEL 7.1 which was in December 2014.

Comment 8 Roshni 2015-09-24 17:33:31 UTC

Yes it does not work now on RHEL 7.1 but it did in the past

Comment 13 Roshni 2016-02-09 15:05:32 UTC

Yes, I will be able to verify the bug.

Comment 24 rick.beldin@hpe.com 2016-02-18 13:33:11 UTC

this looks like a duplicate https://bugzilla.redhat.com/show_bug.cgi?id=1202949

Comment 25 Robbie Harwood 2016-02-18 17:05:34 UTC

*** Bug 1202949 has been marked as a duplicate of this bug. ***

Comment 29 Need Real Name 2016-03-02 08:16:41 UTC

I am also seeing this issue when using krb5 authentication and using /etc/passwd for user information. However, as noted in related tickets (#1202949), it works for some users and not other users.
I have traced it back to the following:
if the password entry for the user is within the first 4096 characters of /etc/passwd, sudo succeeds, otherwise it fails.

The workaround is to set either "ignore_k5login = true" in the krb5.conf or add ignore_k5login to the "auth        sufficient    pam_krb5.so use_first_pass" line in /etc/pam.d/system-auth

Comment 34 Roshni 2016-08-19 19:05:37 UTC

[root@dhcp129-54 ~]# rpm -qi pam_krb5
Name        : pam_krb5
Version     : 2.4.8
Release     : 6.el7
Architecture: x86_64
Install Date: Mon 01 Aug 2016 01:00:43 PM EDT
Group       : System Environment/Base
Size        : 409674
License     : BSD or LGPLv2+
Signature   : RSA/SHA256, Wed 27 Jul 2016 11:33:50 AM EDT, Key ID 938a80caf21541eb
Source RPM  : pam_krb5-2.4.8-6.el7.src.rpm
Build Date  : Fri 19 Feb 2016 01:50:12 PM EST
Build Host  : x86-024.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://fedorahosted.org/pam_krb5/
Summary     : A Pluggable Authentication Module for Kerberos 5

Verification steps:

Logged in using smartcard with kerberos user

sh-4.2$ sudo yum install thunderbird

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for kdcuser6: 
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-
              : manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package thunderbird.x86_64 0:45.2-1.el7_2 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
 Package             Arch           Version                Repository      Size
================================================================================
Installing:
 thunderbird         x86_64         45.2-1.el7_2           RHEL73          64 M

Transaction Summary
================================================================================
Install  1 Package

Total download size: 64 M
Installed size: 129 M
Is this ok [y/d/N]: y
Downloading packages:
thunderbird-45.2-1.el7_2.x86_64.rpm                        |  64 MB   00:01     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : thunderbird-45.2-1.el7_2.x86_64                              1/1 
  Verifying  : thunderbird-45.2-1.el7_2.x86_64                    1/1 

Installed:
  thunderbird.x86_64 0:45.2-1.el7_2                                   

Complete!

Comment 41 Robbie Harwood 2016-10-06 14:08:23 UTC

*** Bug 1374041 has been marked as a duplicate of this bug. ***

Comment 43 errata-xmlrpc 2016-11-04 03:04:29 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2305.html

Note You need to log in before you can comment on or make changes to this bug.