This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 178931 - Lots of new pam_krb5 messages after update
Lots of new pam_krb5 messages after update
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: vixie-cron (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Marcela Mašláňová
Brock Organ
:
: 178939 (view as bug list)
Depends On: 179037
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-25 11:12 EST by Orion Poplawski
Modified: 2007-11-30 17:11 EST (History)
3 users (show)

See Also:
Fixed In Version: vixie-cron-4.1-41.FC4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-08-29 09:55:52 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Orion Poplawski 2006-01-25 11:12:45 EST
Description of problem:

Since vixie-cron 4.1-40.FC4 was installed, I'm seeing lots of the following
messages:

Jan 24 06:40:01 wind crond[26807]: pam_krb5[26807]: no v5 creds for user 'root',
skipping session setup
 Jan 24 06:40:02 wind crond[26807]: pam_krb5[26807]: no v5 creds for user
'root', skipping session cleanup
 Jan 24 06:40:06 wind crond[26808]: pam_krb5[26808]: no v5 creds for user
'root', skipping session cleanup
 Jan 24 06:40:08 wind crond[26809]: pam_krb5[26809]: no v5 creds for user
'cactiuser', skipping session cleanup

Not sure if this is really a cron or pam issue, but it is annowying to get this
many messages.
Comment 1 Jason Vas Dias 2006-01-26 13:58:38 EST
*** Bug 178939 has been marked as a duplicate of this bug. ***
Comment 2 Jason Vas Dias 2006-01-26 14:13:41 EST
This bug is now fixed with vixie-cron-4.1-41.FC4, released to updates/testing today.

With vixie-cron-4.1-40.FC4, after it came to my attention that the pam_unix
module did nothing for the session phase except log unwanted messages, I changed
the /etc/pam.d/crond file from:
---
auth       sufficient pam_rootok.so
auth       required   pam_stack.so service=system-auth
auth       required   pam_env.so
account    required   pam_stack.so service=system-auth
account    required   pam_access.so
session    required   pam_stack.so service=system-auth
session    required   pam_loginuid.so
---

To:

---
auth       sufficient pam_rootok.so
auth       required   pam_stack.so service=system-auth
auth       required   pam_env.so
account    required   pam_stack.so service=system-auth
account    required   pam_access.so
session    required   pam_loginuid.so
session    required   pam_limits.so
session    optional   pam_krb5.so
---

since system-auth contained:
---
session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
---

I wanted to keep the crond session stack the same except for the removal of
the pam_unix module.

This had the unwanted effect of causing the new pam_krb5 debugging log messages
to be logged to /var/log/cron:
crond[3599]: pam_krb5[3599]: no v5 creds for user 'root', skipping session setup
crond[3600]: (root) CMD (logger job $$)
crond[3599]: pam_krb5[3599]: no v5 creds for user 'root', skipping session cleanup

Having checked with the pam_krb5 maintainer, it now appears that pam_krb5 does
nothing for the crond pam session, since it is not a login session - so we can
remove pam_krb5 from crond's pam config file also - it is so removed from
vixie-cron-4.1-41.FC4's /etc/pam.d/crond .

But the weird thing is for pam / pam_krb5 - why did just moving the pam_krb5
session requirement from the system-auth file to the crond file cause the 
extra debug log messages to be generated ?
Comment 3 Nalin Dahyabhai 2006-01-26 15:12:36 EST
There's probably some "confusion" between pam_krb5's internal debug() function
and the one used by crond.  Most of the debugging messages in pam_krb5 are
wrapped inside of checks for pam_krb5's debug flag, but these two aren't, so
they expose that confusion.
Comment 4 Fedora Update System 2006-01-26 15:15:29 EST
From User-Agent: XML-RPC

vixie-cron-4.1-41.FC4 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.
Comment 5 Fedora Update System 2006-02-02 12:04:57 EST
From User-Agent: XML-RPC

vixie-cron-4.1-41.FC4 has been pushed for FC4, which should resolve this issue.  If these problems are still present in this version, then please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.