Bug 164794 - su does not work as expected when kerberos authentication is enabled
su does not work as expected when kerberos authentication is enabled
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: FutureFeature
: 230464 (view as bug list)
Depends On:
Blocks: 179133
  Show dependency treegraph
Reported: 2005-08-01 10:55 EDT by Andre ten Bohmer
Modified: 2007-11-30 17:07 EST (History)
6 users (show)

See Also:
Fixed In Version: 2.1.8
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-08-14 12:07:51 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andre ten Bohmer 2005-08-01 10:55:45 EDT
Description of problem:
Running Red Hat Enterprise Linux AS release 4 (Nahant Update 1) using kerberos
authentication against Microsoft Active directory, seems to been broken compared
to previous Red Hat releases (like AS3 U5) regarding the use of su as root. If I
logon with root (console or via ssh), I'm not able to su to a "normal" local
user account :
]# su - guest1
su: incorrect password

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux AS release 4 (Nahant Update 1)

How reproducible:
Logon as root via SSH or console, perform su for a local account like guest1

Actual results:
Su does not ask for a password and despite "minimum_uid = 500" in the krb5.conf
file (user guest1 has uid 504), "it" contacts the MS-AD servers trying to
authenticate the user without asking for a password.
I've disabled SE-Linux to rule out problems from that side, but to no avail.
Comparing the /etc/pam.d/su file with the one on a AS3-U5 server reveals leads,
except for the extra pam_selinux.so lines.

When disabling kerberos authentication, via authconfig, su works like a charm,
no password needed like expected.

Expected results:
A local user shell for guest1 or otherwise a apropriate error message

Additional info:
Enabling "Local authorization is sufficient" via authconfig, enables su for root
on local accounts while kerberos authentication is enabled
Comment 2 Tim Waugh 2005-08-02 08:32:34 EDT
Changing component and reassigning.
Comment 4 Mark Bober 2005-10-19 13:26:43 EDT
This also affects cronjobs, as I reported in Bug #144064. That was reported on
FC3, which is more-or-less RHEL 4.
Comment 5 Tomas Mraz 2006-01-27 12:06:28 EST
Simplest workaround for this problem and potentially other account modules'
problems is to put 'account sufficient pam_succeed_if.so use_uid uid eq 0' into
the /etc/pam.d/su and /etc/pam.d/crond.
Comment 6 Nalin Dahyabhai 2007-05-03 13:37:05 EDT
This should be fixed in 2.1.8 and later.
Comment 7 Nalin Dahyabhai 2007-05-03 13:37:51 EDT
*** Bug 230464 has been marked as a duplicate of this bug. ***
Comment 14 Nalin Dahyabhai 2007-08-14 12:07:51 EDT
Just verified that we did include this in update 2.  Marking as closed, current

Note You need to log in before you can comment on or make changes to this bug.