Bug 163886 - Can't log in as root on console when krb5 is enabled
Can't log in as root on console when krb5 is enabled
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
3.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
none
:
Depends On: 140325
Blocks:
  Show dependency treegraph
 
Reported: 2005-07-21 15:35 EDT by Geoff Silver
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-10-19 14:57:44 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Geoff Silver 2005-07-21 15:35:46 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Description of problem:
When krb5 support is enabled via authconfig, it adds the following line to /etc/pam.d/system-auth:

account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so

That line causes multiple problems.  Specific examples include the inability of root to log into the console, and the inability to run 'su - user', even as root. 'su - user' produces the following error:

su: incorrect password

When that line is disabled, root console logins and su work as expected.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Configure your system to support kerberos authentication (authconfig --enablekrb5).  Be sure you have a valid /etc/krb5.conf and /etc/krb5.keytab and are talking to a valid KDC.
2. As root, 'su - user' - any user.  Additionally, try to log into the system via the console.
3. Edit /etc/pam.d/system-auth and remove the line 'account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so'.  Repeat step 2.
  

Actual Results:  In step 2, I get 'su: incorrect password', even though I am root and should be able to 'su' to any local account.  Additionally, I cannot log into the console as root (likely because "root@DOMAIN.COM" does not exist in the KDC as an account).  In step 3, 'su' works, as does local console login.

Expected Results:  'su' should have worked.

Additional info:
Comment 1 Geoff Silver 2005-07-21 15:39:07 EDT
I went back and tried to add a root@DOMAIN.COM principal to the KDC, and the
above still fails, so I don't believe that is actually the underlying reason.
Comment 2 Tomas Mraz 2005-07-22 03:03:57 EDT
You have actually 2 different problems:

1. not able to login as root on console - this can be resolved by using
authconfig and enabling option "Local authorization is sufficient".

2. not able to su from root to arbitrary user - this can be workarounded through
adding:
account    sufficient   pam_succeed_if.so uid=0 use_uid
as the first account line into /etc/pam.d/su file.

Other possibility to fix these bugs are through changes to pam_krb5 code -
reassigning.
Comment 3 RHEL Product and Program Management 2007-10-19 14:57:44 EDT
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
 
For more information of the RHEL errata support policy, please visit:
http://www.redhat.com/security/updates/errata/
 
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.