Bugzilla will be upgraded to version 5.0 on December 2, 2018. The outage period for the upgrade will start at 0:00 UTC and have a duration of 12 hours
Bug 161010 - Bad: Doesn't work
Bad: Doesn't work
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Security
Depends On:
  Show dependency treegraph
Reported: 2005-06-19 14:50 EDT by Travis Groth
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-02 23:53:02 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Travis Groth 2005-06-19 14:50:20 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
Doesn't appear to do *anything*.  I've manually dropped /etc/pam.d/gdm in from my FC3 install, and I get an authentication failure before I even enter my password.  It fails on the username.  Ditto if i use authconfig to add the kerberos line.  I've played with pam_krb5.so in system config and several other places.  If it is before pam_unix.so (not the default), it fails despite kinit having no issues and this same pam file working in FC3.  If I put it after the pam_unix.so entry, it auths via pam_unix and goes on it's merry way, never obtaining a kerberos ticket like it's supposed to.  

My best technical guess is a bug in the version of pam_krb5.so where it throws auth failures early or every time.  This needs to be fixed ASAP.  

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Try to use pam_krb5.so for authentication and aquisition of initial kerberos ticket 

Actual Results:  Throws an auth failure to pam before prompting for a password.

Expected Results:  Wait for password before throwing either success or failure to pam, then obtain a kerberos ticket if there is success.

Additional info:

I'm classifying this as "Security" to get additional attention.  On any centralized network this bug totally renders kerberos authentication useless.  With this bug, FC4 is completely unusable on many corporate and acedemic networks which depend on kerberos.  It must be fixed immediately.
Comment 1 Travis Groth 2005-06-27 03:02:59 EDT
Without additional tweaking from myself pam_krb5 suddenly auths properly and
grants me a kerberos ticket.  I don't know what voodoo charm did it, but this
seems to be solved now.  
Comment 2 John Mahowald 2005-10-02 23:53:02 EDT

Note You need to log in before you can comment on or make changes to this bug.