Bug 170338 - su - user account pam stack fails
Summary: su - user account pam stack fails
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: pam
Version: 4.0
Hardware: i686
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-10-10 19:46 UTC by Benn Oshrin
Modified: 2015-01-08 00:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2005-10-12 19:35:17 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)
Original /etc/pam.d/su (970 bytes, text/plain)
2005-10-11 14:35 UTC, Benn Oshrin 		no flags Details
Modified /etc/pam.d/su (1.00 KB, text/plain)
2005-10-11 14:35 UTC, Benn Oshrin 		no flags Details
/etc/pam.d/system-auth (1.14 KB, text/plain)
2005-10-11 14:36 UTC, Benn Oshrin 		no flags Details
Original /etc/pam.d/su (972 bytes, text/plain)
2005-10-12 19:30 UTC, Benn Oshrin 		no flags Details
Show Obsolete (1) View All

Description Benn Oshrin 2005-10-10 19:46:06 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.10) Gecko/20050716 Firefox/1.0.6

Description of problem:
su - user from root fails for some (but not all) values of user.  We have been unable to correlate the characteristics of the users (UID, home directory, etc) to predict success or failure, none of whom have valid shells on the box in question.  (User info is retrieved via LDAP and authenticated against Kerberos, although in this example no authentication should occur.)

This can be corrected by applying the following patch to /etc/pam.d/su:

16c16,17
< account    sufficient   /lib/security/$ISA/pam_permit.so
---
> account    sufficient   pam_krb5.so
> account    required     pam_unix.so


Version-Release number of selected component (if applicable):
pam-0.77-66.5

How reproducible:
Always

Steps to Reproduce:
1. su --shell=/bin/sh username -c uptime
(Reproducible always for any user which fails.)  

Actual Results:  su: incorrect password


Expected Results:   14:26:09 up 41 days,  5:24,  3 users,  load average: 0.00, 0.00, 0.00


Additional info:

This might be related to or a dupe of 
 
 https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=164794

Note however that we must disable both pam_krb5 and pam_unix.
Comment 1 Tomas Mraz 2005-10-11 07:05:47 UTC 
Could you please attach you /etc/pam.d/su and /etc/pam.d/system-auth?

Also are there any log messages in /var/log/messages or secure when the su -
xxxx command fails?
Comment 2 Benn Oshrin 2005-10-11 14:35:21 UTC 
Created attachment 119802 [details]
Original /etc/pam.d/su
Comment 3 Benn Oshrin 2005-10-11 14:35:54 UTC 
Created attachment 119803 [details]
Modified /etc/pam.d/su
Comment 4 Benn Oshrin 2005-10-11 14:36:32 UTC 
Created attachment 119804 [details]
/etc/pam.d/system-auth
Comment 5 Benn Oshrin 2005-10-11 14:42:37 UTC 
The only entries were of the form

Oct 10 14:26:09 soyvlaki su(pam_unix)[28071]: session opened for user xxxx b
y benno(uid=0)
Oct 10 14:26:09 soyvlaki su(pam_unix)[28071]: session closed for user xxxx

(even with 'debug' flags set for the pams in the stack).
Comment 6 Benn Oshrin 2005-10-12 19:30:07 UTC 
Created attachment 119849 [details]
Original /etc/pam.d/su

Attachment 119802 [details] was the wrong file.
Comment 7 Benn Oshrin 2005-10-12 19:35:17 UTC 
I think this bug may be invalid, based on local configuration changes I've discovered.  I'll reopen it if I'm 
wrong.
Comment 8 Tomas Mraz 2005-10-12 20:00:59 UTC 
It's partly invalid (removing the pam_unix is never the right thing, instead the
broken_shadow option should be used when the accounts authenticated against
kerberos have wrong 'x' entry in /etc/passwd - *K* should be there) and partly a
duplicate of bug 164794 which is a real bug (this is when removing pam_krb5 from
account helps).
Note You need to log in before you can comment on or make changes to this bug.