Bug 145740 - pam_krb5 TGT not consistent with kinit TGT
Summary: pam_krb5 TGT not consistent with kinit TGT
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5   
(Show other bugs)
Version: 3
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-21 00:11 UTC by Dax Kelson
Modified: 2008-02-05 05:51 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-02-05 05:51:15 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Dax Kelson 2005-01-21 00:11:05 UTC
Description of problem:

The krb5-libs package owns the file /etc/krb5.conf.

It contains the snippets:

#ticket_lifetime = 24000  <--- authconfig adds this line if run
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false

 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false

These are the default entries (other than the REALM name). It appears
the intent is to obtain forwardable tickets or maybe not.

When obtaining a TGT via pam_krb5, the ticket is forwardable and
renewable. When obtaining a ticket via kinit or the gnome-kerberos
tool it isn't (unless you manually specify cmd line options).

Is this the intended behavior?

To make kinit consistent with pam_krb5 then the stock [libdefaults]
section should look like:

 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 renew_lifetime = 36000
 forwardable = true

Comment 1 Dax Kelson 2005-01-21 00:12:52 UTC
never mind my comment: (other than the REALM name)

Comment 2 Matthew Miller 2006-07-10 22:32:19 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!

Comment 3 petrosyan 2008-02-05 05:51:15 UTC
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.