Bug 168877 - Authconfig creates a broken pam stack if using kerberos and the pam_krb5 package/module is missing.
Authconfig creates a broken pam stack if using kerberos and the pam_krb5 pack...
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: authconfig (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On: 168880
  Show dependency treegraph
Reported: 2005-09-20 17:03 EDT by Jason Smith
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-20 17:38:29 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jason Smith 2005-09-20 17:03:43 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050719 Red Hat/1.7.10-1.4.1

Description of problem:
I was updating the authconfig servers we are using on several systems with the same command and didn't notice that one of the systems was missing the pam_krb5 package.  authconfig still went ahead and created the pam system-auth file with the following line in it:

auth        sufficient    /lib/security/$ISA/pam_krb5afs.so use_first_pass tokens

This completely broke the pam stack because this module did not exist and therefore even prevented root login from the console so it could not easily be fixed.  System logs would contain errors like this for console login:

Sep 20 14:29:03 services01 login: PAM unable to dlopen(/lib/security/$ISA/pam_krb5afs.so)
Sep 20 14:29:03 services01 login: PAM [dlerror: /lib/security/../../lib/security/pam_krb5afs.so: cannot open shared object file: No such file or directory]
Sep 20 14:29:03 services01 login: PAM adding faulty module: /lib/security/$ISA/pam_krb5afs.so
Sep 20 14:29:07 services01 login: Module is unknown

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Install a system without the pam_krb5 package.
2. After the install, rerun the authconfig command with options to enable krb5.
3. Try to log into the system.

Actual Results:  Login failed (even root from the console).

Expected Results:  authconfig should probably not be adding modules to the pam config which are not installed on the system because it results in a broken pam stack.

Additional info:
Comment 1 Tomas Mraz 2005-09-20 17:38:29 EDT
This problem will be resolved in a future major release of Red Hat Enterprise
Linux. Red Hat does not currently plan to provide a resolution for this in a Red
Hat Enterprise Linux update for currently deployed systems.

With the goal of minimizing risk of change for deployed systems, and in response
to customer and partner requirements, Red Hat takes a conservative approach when
evaluating changes for inclusion in maintenance updates for currently deployed
products. The primary objectives of update releases are to enable new hardware
platform support and to resolve critical defects. 

Note You need to log in before you can comment on or make changes to this bug.