Bug 144762 - Pam with Kerberos or LDAP refuses off-net local login
Pam with Kerberos or LDAP refuses off-net local login
Status: CLOSED DUPLICATE of bug 109359
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Jay Turner
Depends On:
  Show dependency treegraph
Reported: 2005-01-11 07:37 EST by Thomas Sippel - Dau
Modified: 2015-01-07 19:09 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-01-12 03:24:34 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Thomas Sippel - Dau 2005-01-11 07:37:25 EST
Description of problem: 
Pam with Kerberos or LDAP refuses off-net local login 
When using kerberos or ldap authenticated logins the pam 
library treats a failure to connect to the kerberos or ldap 
server as a failure to authenticate. 
It appears that the pam library reads the config file 
(/etc/pam.d/system-auth), and attempts to contact all  
the servers that might have useful information. 
If it fails to contact the kerberos or ldap servers, 
it treats this as a failure to authenticate. Thus when  
the system-auth says: 
   auth sufficient pam_unix 
   auth sufficient pam_krb5 
   auth sufficient pam_ldap 
then a user with a local username and password (in  
/etc/passwd and /etc/shadow) can not log in iff the machine 
is off the net. In particular it is impossible to log in  
as root, such as to change the configuration. 
The problem arises particularly with corporate laptops  
where all people in the organisation should be able to log 
when it is on site, but only a few users when off the net. 
Version-Release number of selected component (if applicable): 
Redhat Enterprise Workstation was tested with several pam 
versions in updates 1-4, also a problem in 4WS (beta,2) 
How reproducible: 
Steps to Reproduce: 
1. Configure machine to use kerberos or ldap login 
2. disconnect network cable 
3. try to log in 
Actual results: 
Login is refused (actually before collecting password 
when usinf XDM login) 
Expected results: 
Machine should treat failure to contact kerberos or ldap  
server as a soft error and remove the particular method  
from the authentication stack, but still allow local logins 
if it can verify the password. 
Additional info: 
SuSE Linux uses a different network model, is stacks 
pam_unix2 to authenticate, which in turn uses  
/etc/nsswitch.con to establish the server sequence. 
Thus they are not bitten by this particular bug.
Comment 1 Rudi Chiarito 2005-01-11 14:29:23 EST
What you really want to use is pam_ccreds, which is already in FC3
and should ship by default with RHEL 4. Unfortunately, it's both
undocumented and not used by authconfig. I already filed two bug
reports for those issues, but I haven't seen any progress or
acknowledgements there.
Comment 2 Tomas Mraz 2005-01-12 03:22:17 EST
The problem doesn't lie in the auth phase, it lies in the account phase.

Either use pam_ccreds or simply add 

account sufficient pam_localuser.so

after the account required pam_unix.so .... line

This way the local users (users in the local passwd file) will be
authorized only by data in the local /etc/shadow and the remote
services won't block their access.

*** This bug has been marked as a duplicate of 109359 ***

Note You need to log in before you can comment on or make changes to this bug.