Bug 136760 - latest rawhide pam kills krb+ldap logins
Summary: latest rawhide pam kills krb+ldap logins
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
high
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords:
: 142820 (view as bug list)
Depends On:
Blocks: FC3Blocker
TreeView+ depends on / blocked
 
Reported: 2004-10-22 08:10 UTC by Nicolas Mailhot
Modified: 2007-11-30 22:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-08 08:44:29 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
login (529 bytes, text/plain)
2004-10-25 12:43 UTC, Nicolas Mailhot
no flags Details
system-auth (1.09 KB, text/plain)
2004-10-25 12:43 UTC, Nicolas Mailhot
no flags Details
debug traces (4.55 KB, text/plain)
2004-10-25 12:48 UTC, Nicolas Mailhot
no flags Details

Description Nicolas Mailhot 2004-10-22 08:10:03 UTC
On a rawhide system that uses krb for passwords and ldap for group
info  login does not work wirh pam 0.77-65

(logs show krb5 passwd works, id on the user works for root, but login
fails with "can not retrieve auth info")

Reverting to FC2 pam+authconfig fixes the problem

Comment 1 Tomas Mraz 2004-10-22 08:28:32 UTC
Could you please try pam+authconfig from FC3test1 and FC3test2?


Comment 2 Nicolas Mailhot 2004-10-22 08:43:15 UTC
Won't have the time to do it before monday;(

Though the rawhide box is regularly synched, and worked two days ago,
to I suppose the breakage is fairly recent and the FC3Tests should all
work

Comment 3 Tomas Mraz 2004-10-22 09:48:31 UTC
Now I know the cause - it happened in pam-0.77-58


Comment 7 Nicolas Mailhot 2004-10-25 10:23:58 UTC
As I suspected the FC3T3 login stack works. So pam-0.77-58 is not the
culprit

-rw-r--r--  1 root root  259456 oct  4 19:17 authconfig-4.6.5-1.i386.rpm
-rw-r--r--  1 root root   35644 oct  4 19:17
authconfig-gtk-4.6.5-1.i386.rpm
-rw-r--r--  1 root root 1904160 sep 29 20:24 pam-0.77-60.i386.rpm
-rw-r--r--  1 root root   80804 sep 29 20:24 pam-devel-0.77-60.i386.rpm


Comment 8 Tomas Mraz 2004-10-25 10:53:04 UTC
I'm sorry but I cannot reproduce it here. (I've setup krb5
authentication with ldap account info and I can successfully log in
using that configuration with users which aren't or are in /etc/passwd).

And if I look at the changes between pam-0.77-60 and pam-0.77-65 there
were virtually no changes which could affect this.


Comment 9 Nicolas Mailhot 2004-10-25 11:36:02 UTC
Well there is an authconfig version change too since FC3T3 so the bug
might be there not in pam.

Anyway the problem is 100% reproductible. Just tell me what tests you
want me to run and I'll do them (when I have access to the system ie
during french business hours)

Comment 10 Nicolas Mailhot 2004-10-25 11:45:22 UTC
Login failure messages with rawhide pam :

Oct 25 13:43:03 ulysse login(pam_unix)[25677]: authentication failure;
logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost=
Oct 25 13:43:03 ulysse login[25677]: pam_krb5[25677]: authentication
succeeds for 'nim' (nim@OLYMPE.O2T)
Oct 25 13:43:03 ulysse login[25677]: Authentication service cannot
retrieve authentication info.

[nim@ulysse ~]$ id nim
uid=500(nim) gid=500(nim) groupes=500(nim),400(one2team),401(cvs),407(sys)


Comment 11 Tomas Mraz 2004-10-25 12:29:03 UTC
Please attach your /etc/pam.d/system-auth and login files.

Also can you add debug option to the pam_stack module calls in the
/etc/pam.d/login and add line:
*.=debug               /var/log/debug
to the /etc/syslog.conf and rerun the test with the failing packages
and attach the debug log file?

Thank you.


Comment 12 Nicolas Mailhot 2004-10-25 12:43:06 UTC
Created attachment 105718 [details]
login

Comment 13 Nicolas Mailhot 2004-10-25 12:43:46 UTC
Created attachment 105719 [details]
system-auth

Comment 14 Nicolas Mailhot 2004-10-25 12:48:33 UTC
Created attachment 105720 [details]
debug traces

Comment 15 Nicolas Mailhot 2004-10-27 08:48:01 UTC
After testing your rpms pam-0.77-62 works, pam-0.77-63 and later - not

Comment 16 Tomas Mraz 2004-10-27 09:17:32 UTC
Bingo!
So I fixed a bug and it revealed another bug (this time in the pam
configuration) - could you reupgrade to pam-0.77-65 and add
broken_shadow option to the account line of pam_unix module?
If it helps I'll change authconfig to add this option when using
configuration like yours.
Thank you for the testing.


Comment 17 Tomas Mraz 2004-10-27 11:03:59 UTC
 Additional Comment #7 From Nicolas Mailhot
(Nicolas.Mailhot@laPoste.net)  on 2004-10-27 06:26 -------

With
account     required      /lib/security/$ISA/pam_unix.so broken_shadow
in
/etc/pam.d/system-auth
the rawhide login stack works. Thanks !

(not closing since the packages are not fixed yet)


Comment 20 Tomas Mraz 2004-12-08 08:44:29 UTC
This is fixed in FC3 and RHEL4 packages.


Comment 21 Tomas Mraz 2004-12-14 15:17:08 UTC
*** Bug 142820 has been marked as a duplicate of this bug. ***


Note You need to log in before you can comment on or make changes to this bug.