Bug 145740 - pam_krb5 TGT not consistent with kinit TGT
pam_krb5 TGT not consistent with kinit TGT
Status: CLOSED INSUFFICIENT_DATA
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
3
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-01-20 19:11 EST by Dax Kelson
Modified: 2008-02-05 00:51 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-02-05 00:51:15 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Dax Kelson 2005-01-20 19:11:05 EST
Description of problem:

The krb5-libs package owns the file /etc/krb5.conf.

It contains the snippets:

[libdefaults]
#ticket_lifetime = 24000  <--- authconfig adds this line if run
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false


[appdefaults]
 pam = {
   debug = false
   ticket_lifetime = 36000
   renew_lifetime = 36000
   forwardable = true
   krb4_convert = false
 }

These are the default entries (other than the REALM name). It appears
the intent is to obtain forwardable tickets or maybe not.

When obtaining a TGT via pam_krb5, the ticket is forwardable and
renewable. When obtaining a ticket via kinit or the gnome-kerberos
tool it isn't (unless you manually specify cmd line options).

Is this the intended behavior?

To make kinit consistent with pam_krb5 then the stock [libdefaults]
section should look like:

[libdefaults]
 default_realm = EXAMPLE.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 renew_lifetime = 36000
 forwardable = true
Comment 1 Dax Kelson 2005-01-20 19:12:52 EST
never mind my comment: (other than the REALM name)
Comment 2 Matthew Miller 2006-07-10 18:32:19 EDT
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 3 petrosyan 2008-02-05 00:51:15 EST
Fedora Core 3 is not maintained anymore.

Setting status to "INSUFFICIENT_DATA". If you can reproduce this bug in the
current Fedora release please reopen this bug.

Note You need to log in before you can comment on or make changes to this bug.