163886 – Can't log in as root on console when krb5 is enabled

Bug 163886 - Can't log in as root on console when krb5 is enabled

Summary: Can't log in as root on console when krb5 is enabled

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 3
Classification:	Red Hat
Component:	pam_krb5
Sub Component:
Version:	3.0
Hardware:	i386
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nalin Dahyabhai
QA Contact:	Brian Brock
Docs Contact:
URL:	none
Whiteboard:
Depends On:	140325
Blocks:
TreeView+	depends on / blocked

Reported:	2005-07-21 19:35 UTC by Geoff Silver
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2007-10-19 18:57:44 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Geoff Silver 2005-07-21 19:35:46 UTC

From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Description of problem:
When krb5 support is enabled via authconfig, it adds the following line to /etc/pam.d/system-auth:

account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so

That line causes multiple problems.  Specific examples include the inability of root to log into the console, and the inability to run 'su - user', even as root. 'su - user' produces the following error:

su: incorrect password

When that line is disabled, root console logins and su work as expected.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Configure your system to support kerberos authentication (authconfig --enablekrb5).  Be sure you have a valid /etc/krb5.conf and /etc/krb5.keytab and are talking to a valid KDC.
2. As root, 'su - user' - any user.  Additionally, try to log into the system via the console.
3. Edit /etc/pam.d/system-auth and remove the line 'account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so'.  Repeat step 2.
  

Actual Results:  In step 2, I get 'su: incorrect password', even though I am root and should be able to 'su' to any local account.  Additionally, I cannot log into the console as root (likely because "root" does not exist in the KDC as an account).  In step 3, 'su' works, as does local console login.

Expected Results:  'su' should have worked.

Additional info:

Comment 1 Geoff Silver 2005-07-21 19:39:07 UTC

I went back and tried to add a root principal to the KDC, and the
above still fails, so I don't believe that is actually the underlying reason.

Comment 2 Tomas Mraz 2005-07-22 07:03:57 UTC

You have actually 2 different problems:

1. not able to login as root on console - this can be resolved by using
authconfig and enabling option "Local authorization is sufficient".

2. not able to su from root to arbitrary user - this can be workarounded through
adding:
account    sufficient   pam_succeed_if.so uid=0 use_uid
as the first account line into /etc/pam.d/su file.

Other possibility to fix these bugs are through changes to pam_krb5 code -
reassigning.

Comment 3 RHEL Program Management 2007-10-19 18:57:44 UTC

This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.