Red Hat Bugzilla – Bug 179132
user gets no cached credentials after changing expired password on login
Last modified: 2007-11-30 17:11:22 EST
+++ This bug was initially created as a clone of Bug #169966 +++
We have seen this bug before wrt pam_krb5-1.75 in RHEL 2.1. The bug has come
back in pam_krb5-2.1.2-1-i386 and pam_ccreds-1-3-i386 in RHEL 4 U1.
Previous bugzilla at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=110948 .
When a user with an expired password tries to log in, he is allowed to change
his password but no credential cache is created.
-- Additional comment from firstname.lastname@example.org on 2005-10-05 18:09 EST --
Ok, I think I've tracked down the problem. Looks like the issue is that
after the chauthtok phase, the stash->v5result is still set to
KRB5KDC_ERR_KEY_EXP. This prevents the session module from storing the
The attached patch is a proposed fix that resets stash->v5result to 0 after
a successful password change. This seems to correct my reproduction of the
problem, but I'm not certain if this is the best place or way to reset
-- Additional comment from email@example.com on 2005-10-05 18:16 EST --
Created an attachment (id=119654)
system-auth file used to reproduce the problem
Steps to reproduce:
1) set up a kerberos realm with a test user in it
2) build RHEL4 box and use attached (or similar) system-auth file. Configure
krb5.conf to authenticate against kerb realm with test user.
3) expire the password of the test user:
kadmin> modprinc -pwexpire now testuser
4) log in on console (or telnet to box) as test user. Log in and change
password when prompted.
5) note that after this, there are no cached credentials when you run klist.
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.