Created attachment 1198823 [details]
strace fail output

Description of problem:

We received an email from a customer with the following: 

Host is configured to authenticate using AD via pam_krb5.
Some users were able to authenticate to sudo, others were not.
If a user's entry in /etc/passwd is beyond the 4K byte point, attempts to authenticate into sudo fail after 3 prompts for password. The following entry is
generated in /etc/var/log/secure:

sudo: pam_krb5[61945]: account checks fail for 'uname.EDU<uname.edu>': user disallowed by .k5login file for 'username'

Note: there is no .k5login file in the user account

strace'ing the command determined that when the authentication failed, initially 2 reads were made to the passwd file. The first was 4096 bytes, the second was the remainder of the file. On subsequent reads of passwd, did not read beyond the 4k byte mark. Every user that failed was beyond the the 4k byte point.

Moving the user's passwd entry above the 4k point in the passwd file allows the user to authenticate normally.

Version-Release number of selected component (if applicable):

pam_krb5-2.4.8-4.el7

How reproducible:

Every time

Steps to Reproduce:

1. Create passwd file with enough users to make the file larger than 4K bytes. 
2. Give a user at the bottom of the file permissions in /etc/sudoers
3. Execute `sudo -l` 
4. After 3 attempts, the command will fail with "bad password" and log message above.

Actual results:

users can't authenticate as sudo

Expected results:

user will authenticate successfully.

Additional info:

Adding "debug" flag to directives in /etc/pam.d/sudo results in a hang of the command.
See attached strace output for successful and unsuccessful execution.