From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 Description of problem: When krb5 support is enabled via authconfig, it adds the following line to /etc/pam.d/system-auth: account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so That line causes multiple problems. Specific examples include the inability of root to log into the console, and the inability to run 'su - user', even as root. 'su - user' produces the following error: su: incorrect password When that line is disabled, root console logins and su work as expected. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Configure your system to support kerberos authentication (authconfig --enablekrb5). Be sure you have a valid /etc/krb5.conf and /etc/krb5.keytab and are talking to a valid KDC. 2. As root, 'su - user' - any user. Additionally, try to log into the system via the console. 3. Edit /etc/pam.d/system-auth and remove the line 'account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so'. Repeat step 2. Actual Results: In step 2, I get 'su: incorrect password', even though I am root and should be able to 'su' to any local account. Additionally, I cannot log into the console as root (likely because "root" does not exist in the KDC as an account). In step 3, 'su' works, as does local console login. Expected Results: 'su' should have worked. Additional info:
I went back and tried to add a root principal to the KDC, and the above still fails, so I don't believe that is actually the underlying reason.
You have actually 2 different problems: 1. not able to login as root on console - this can be resolved by using authconfig and enabling option "Local authorization is sufficient". 2. not able to su from root to arbitrary user - this can be workarounded through adding: account sufficient pam_succeed_if.so uid=0 use_uid as the first account line into /etc/pam.d/su file. Other possibility to fix these bugs are through changes to pam_krb5 code - reassigning.
This bug is filed against RHEL 3, which is in maintenance phase. During the maintenance phase, only security errata and select mission critical bug fixes will be released for enterprise products. Since this bug does not meet that criteria, it is now being closed. For more information of the RHEL errata support policy, please visit: http://www.redhat.com/security/updates/errata/ If you feel this bug is indeed mission critical, please contact your support representative. You may be asked to provide detailed information on how this bug is affecting you.