Bug 179132 - user gets no cached credentials after changing expired password on login
Summary: user gets no cached credentials after changing expired password on login
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: 4
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
Depends On: 169966
TreeView+ depends on / blocked
Reported: 2006-01-27 16:35 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
0 users

Clone Of:
Last Closed: 2006-09-22 02:21:19 UTC

Attachments (Terms of Use)

Description Nalin Dahyabhai 2006-01-27 16:35:32 UTC
+++ This bug was initially created as a clone of Bug #169966 +++

We have seen this bug before wrt pam_krb5-1.75 in RHEL 2.1. The bug has come
back in pam_krb5-2.1.2-1-i386 and pam_ccreds-1-3-i386 in RHEL 4 U1.

Previous bugzilla at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110948 .

When a user with an expired password tries to log in, he is allowed to change
his password but no credential cache is created.

-- Additional comment from tao@redhat.com on 2005-10-05 18:09 EST --

Ok, I think I've tracked down the problem. Looks like the issue is that
after the chauthtok phase, the stash->v5result is still set to
KRB5KDC_ERR_KEY_EXP. This prevents the session module from storing the
cached credentials.

The attached patch is a proposed fix that resets stash->v5result to 0 after
a successful password change. This seems to correct my reproduction of the
problem, but I'm not certain if this is the best place or way to reset
this variable.

-- Additional comment from jlayton@redhat.com on 2005-10-05 18:16 EST --
Created an attachment (id=119654)
system-auth file used to reproduce the problem

Steps to reproduce:

1) set up a kerberos realm with a test user in it

2) build RHEL4 box and use attached (or similar) system-auth file. Configure
krb5.conf to authenticate against kerb realm with test user.

3) expire the password of the test user:

kadmin> modprinc -pwexpire now testuser

4) log in on console (or telnet to box) as test user. Log in and change
password when prompted.

5) note that after this, there are no cached credentials when you run klist.

Comment 1 Bill Nottingham 2006-09-22 02:21:19 UTC
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.

Note You need to log in before you can comment on or make changes to this bug.