Bug 179132 - user gets no cached credentials after changing expired password on login
user gets no cached credentials after changing expired password on login
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
:
Depends On: 169966
Blocks:
  Show dependency treegraph
 
Reported: 2006-01-27 11:35 EST by Nalin Dahyabhai
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version: FC5
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-21 22:21:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Nalin Dahyabhai 2006-01-27 11:35:32 EST
+++ This bug was initially created as a clone of Bug #169966 +++

We have seen this bug before wrt pam_krb5-1.75 in RHEL 2.1. The bug has come
back in pam_krb5-2.1.2-1-i386 and pam_ccreds-1-3-i386 in RHEL 4 U1.

Previous bugzilla at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110948 .

When a user with an expired password tries to log in, he is allowed to change
his password but no credential cache is created.

-- Additional comment from tao@redhat.com on 2005-10-05 18:09 EST --

Ok, I think I've tracked down the problem. Looks like the issue is that
after the chauthtok phase, the stash->v5result is still set to
KRB5KDC_ERR_KEY_EXP. This prevents the session module from storing the
cached credentials.

The attached patch is a proposed fix that resets stash->v5result to 0 after
a successful password change. This seems to correct my reproduction of the
problem, but I'm not certain if this is the best place or way to reset
this variable.

-- Additional comment from jlayton@redhat.com on 2005-10-05 18:16 EST --
Created an attachment (id=119654)
system-auth file used to reproduce the problem

Steps to reproduce:

1) set up a kerberos realm with a test user in it

2) build RHEL4 box and use attached (or similar) system-auth file. Configure
krb5.conf to authenticate against kerb realm with test user.

3) expire the password of the test user:

kadmin> modprinc -pwexpire now testuser

4) log in on console (or telnet to box) as test user. Log in and change
password when prompted.

5) note that after this, there are no cached credentials when you run klist.
Comment 1 Bill Nottingham 2006-09-21 22:21:19 EDT
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.

Note You need to log in before you can comment on or make changes to this bug.