Bug 157113 - [PATCH] pam_krb5 does not work properly when your AFS cell has more than 1 file server
[PATCH] pam_krb5 does not work properly when your AFS cell has more than 1 fi...
Status: CLOSED CURRENTRELEASE
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
4.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
http://www-personal.engin.umich.edu/~...
: Patch
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-05-06 17:57 EDT by wingc
Modified: 2010-02-12 13:42 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-02-12 13:42:46 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
pam_krb5: try the entire list of file server IP addresses when looking up the realm name (3.18 KB, patch)
2005-05-06 17:57 EDT, wingc
no flags Details | Diff

  None (edit)
Description wingc 2005-05-06 17:57:35 EDT
Description of problem:

pam_krb5 determines the name of the Kerberos realm to use when getting AFS
tokens by looking up the IP addresses of the file servers for '/afs/cell.name'.
However, it only passes a buffer large enough to hold a single IP address.

If the AFS cell's root.cell volume is replicated (stored on more than 1 server), 
minikafs_realm_of_cell() will fail.

Version-Release number of selected component (if applicable):

Tested on RHEL4, pam_krb5-2.1.2-1

How reproducible:

Always

Steps to Reproduce:
1. Use an AFS cell that has more than 1 fileserver for /afs/cell.name
2. Try to log in using pam_krb5
  
Actual results:

Errors are returned when trying to get AFS tokens for the default cell. pam_krb5
falls back to using the default Kerberos realm, instead of the actual Kerberos
realm for the particular cell. (It also refuses to use the instance-less
principal afs@REALM.NAME, so if you don't have a principal named
afs/cell.name@REALM.NAME, then it will fail to get any tokens at all)

Expected results:

pam_krb5 should properly determine the name of the Kerberos realm containing the
file servers for '/afs/cell.name', even if you have more than 1 file server.

Additional info:

A patch to fix this problem, by passing a buffer large enough to contain the
maximum number of file server IP addresses supported by OpenAFS (13), and trying
to use krb5_get_host_realm() on each of them, is available here:

http://www-personal.engin.umich.edu/~wingc/patches/pam_krb5/pam_krb5-2.1.2-servers.patch
Comment 1 wingc 2005-05-06 17:57:35 EDT
Created attachment 114105 [details]
pam_krb5: try the entire list of file server IP addresses when looking up the realm name
Comment 2 Nalin Dahyabhai 2010-02-12 13:42:46 EST
This should be fixed in 2.1.6, though the patch was different.

Note You need to log in before you can comment on or make changes to this bug.