Description of problem:
Pam with Kerberos or LDAP refuses off-net local login
When using kerberos or ldap authenticated logins the pam
library treats a failure to connect to the kerberos or ldap
server as a failure to authenticate.
It appears that the pam library reads the config file
(/etc/pam.d/system-auth), and attempts to contact all
the servers that might have useful information.
If it fails to contact the kerberos or ldap servers,
it treats this as a failure to authenticate. Thus when
the system-auth says:
auth sufficient pam_unix
auth sufficient pam_krb5
auth sufficient pam_ldap
then a user with a local username and password (in
/etc/passwd and /etc/shadow) can not log in iff the machine
is off the net. In particular it is impossible to log in
as root, such as to change the configuration.
The problem arises particularly with corporate laptops
where all people in the organisation should be able to log
when it is on site, but only a few users when off the net.
Version-Release number of selected component (if applicable):
Redhat Enterprise Workstation was tested with several pam
versions in updates 1-4, also a problem in 4WS (beta,2)
Steps to Reproduce:
1. Configure machine to use kerberos or ldap login
2. disconnect network cable
3. try to log in
Login is refused (actually before collecting password
when usinf XDM login)
Machine should treat failure to contact kerberos or ldap
server as a soft error and remove the particular method
from the authentication stack, but still allow local logins
if it can verify the password.
SuSE Linux uses a different network model, is stacks
pam_unix2 to authenticate, which in turn uses
/etc/nsswitch.con to establish the server sequence.
Thus they are not bitten by this particular bug.
What you really want to use is pam_ccreds, which is already in FC3
and should ship by default with RHEL 4. Unfortunately, it's both
undocumented and not used by authconfig. I already filed two bug
reports for those issues, but I haven't seen any progress or
The problem doesn't lie in the auth phase, it lies in the account phase.
Either use pam_ccreds or simply add
account sufficient pam_localuser.so
after the account required pam_unix.so .... line
This way the local users (users in the local passwd file) will be
authorized only by data in the local /etc/shadow and the remote
services won't block their access.
*** This bug has been marked as a duplicate of 109359 ***