Red Hat Bugzilla – Bug 163886
Can't log in as root on console when krb5 is enabled
Last modified: 2007-11-30 17:07:07 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1
Description of problem:
When krb5 support is enabled via authconfig, it adds the following line to /etc/pam.d/system-auth:
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
That line causes multiple problems. Specific examples include the inability of root to log into the console, and the inability to run 'su - user', even as root. 'su - user' produces the following error:
su: incorrect password
When that line is disabled, root console logins and su work as expected.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Configure your system to support kerberos authentication (authconfig --enablekrb5). Be sure you have a valid /etc/krb5.conf and /etc/krb5.keytab and are talking to a valid KDC.
2. As root, 'su - user' - any user. Additionally, try to log into the system via the console.
3. Edit /etc/pam.d/system-auth and remove the line 'account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so'. Repeat step 2.
Actual Results: In step 2, I get 'su: incorrect password', even though I am root and should be able to 'su' to any local account. Additionally, I cannot log into the console as root (likely because "root@DOMAIN.COM" does not exist in the KDC as an account). In step 3, 'su' works, as does local console login.
Expected Results: 'su' should have worked.
I went back and tried to add a root@DOMAIN.COM principal to the KDC, and the
above still fails, so I don't believe that is actually the underlying reason.
You have actually 2 different problems:
1. not able to login as root on console - this can be resolved by using
authconfig and enabling option "Local authorization is sufficient".
2. not able to su from root to arbitrary user - this can be workarounded through
account sufficient pam_succeed_if.so uid=0 use_uid
as the first account line into /etc/pam.d/su file.
Other possibility to fix these bugs are through changes to pam_krb5 code -
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.