Bug 1469509 - "authconfig --enablekrb5 --updateall" does nothing [NEEDINFO]
"authconfig --enablekrb5 --updateall" does nothing
Status: CLOSED INSUFFICIENT_DATA
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: authconfig (Show other bugs)
7.3
Unspecified Unspecified
unspecified Severity high
: rc
: ---
Assigned To: Pavel Březina
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-07-11 08:11 EDT by Thomas Schweikle
Modified: 2018-02-21 06:32 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-02-21 06:32:26 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pbrezina: needinfo? (tschweikle)


Attachments (Terms of Use)

  None (edit)
Description Thomas Schweikle 2017-07-11 08:11:07 EDT
Description of problem:
After installing "krb5-workstation", then configuring "/etc/krb5.conf", next executing "authconfig --enablekrb5 --updateall" does not configure kerberos pam modules.

Version-Release number of selected component (if applicable):
krb5-libs-1.14.1-27.el7_3.x86_64
krb5-workstation-1.14.1-27.el7_3.x86_64
pam_krb5-2.4.8-6.el7.x86_64
sssd-krb5-1.14.0-43.el7_3.18.x86_64
sssd-krb5-common-1.14.0-43.el7_3.18.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL 7.3
2. Configure sssd, kerberos, ldap
3. kerberos/pam fails, because kerberos not configured

Actual results:
"authconfig --enablekrb5 --updateall" does not configure pam_krb5.so modules

Expected results:
"authconfig --enablekrb5 --updateall" configures pam_krb5.so modules.

Additional info:
Authentication using kerberos fails to create krb_tgt for login -> login fails if user is only remote. LDAP fails to get users and groups from AD-Server. getent passwd only lists local users.

kinit <user> -> works.
ldapsearch -> works, if krb_tgt available.

login does not create a krb-ticket-cache.

sssd does not aquire a krb_tgt for the machine -> query ldap fails on AD: "Dissallowed".
Comment 2 Pavel Březina 2017-07-12 04:58:22 EDT
Hi, can you please attach /etc/krb5.conf, /etc/sssd/sssd.conf and /etc/pam.d/system-auth please?
Comment 4 Pavel Březina 2017-09-27 09:42:01 EDT
We do not plan to release 7.5 errata for capacity reasons. Proposing to 7.6.
Comment 5 Pavel Březina 2017-09-27 09:42:52 EDT
Thomas, can you provide required information please?
Comment 6 Pavel Březina 2018-02-21 06:32:26 EST
I'm closing this bug due to lack of data. Feel free to reopen it.

Note You need to log in before you can comment on or make changes to this bug.