Bug 179133 - su does not work as expected when kerberos authentication is enabled
Summary: su does not work as expected when kerberos authentication is enabled
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: 4
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On: 164794
Blocks:
TreeView+ depends on / blocked
 
Reported: 2006-01-27 16:36 UTC by Nalin Dahyabhai
Modified: 2007-11-30 22:11 UTC (History)
0 users

Fixed In Version: FC5
Doc Type: Enhancement
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-09-22 02:15:29 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Nalin Dahyabhai 2006-01-27 16:36:25 UTC 
+++ This bug was initially created as a clone of Bug #164794 +++

Description of problem:
Running Red Hat Enterprise Linux AS release 4 (Nahant Update 1) using kerberos
authentication against Microsoft Active directory, seems to been broken compared
to previous Red Hat releases (like AS3 U5) regarding the use of su as root. If I
logon with root (console or via ssh), I'm not able to su to a "normal" local
user account :
]# su - guest1
su: incorrect password

Version-Release number of selected component (if applicable):
Red Hat Enterprise Linux AS release 4 (Nahant Update 1)
coreutils-5.2.1-31.1

How reproducible:
Logon as root via SSH or console, perform su for a local account like guest1

Actual results:
Su does not ask for a password and despite "minimum_uid = 500" in the krb5.conf
file (user guest1 has uid 504), "it" contacts the MS-AD servers trying to
authenticate the user without asking for a password.
I've disabled SE-Linux to rule out problems from that side, but to no avail.
Comparing the /etc/pam.d/su file with the one on a AS3-U5 server reveals leads,
except for the extra pam_selinux.so lines.

When disabling kerberos authentication, via authconfig, su works like a charm,
no password needed like expected.

Expected results:
A local user shell for guest1 or otherwise a apropriate error message

Additional info:
Enabling "Local authorization is sufficient" via authconfig, enables su for root
on local accounts while kerberos authentication is enabled

-- Additional comment from shillman on 2005-08-01 15:01 EST --
This looks less like an enhancement, and more like something that we really
ought to have on the proposed list.

http://intranet.corp.redhat.com/ic/intranet/RHELUpdateContentProcess.html

-- Additional comment from twaugh on 2005-08-02 08:32 EST --
Changing component and reassigning.

-- Additional comment from nalin on 2005-08-03 15:36 EST --
This is a sort-of duplicate of bug #140325, which was filed against RHEL 3.

-- Additional comment from mark.edu on 2005-10-19 13:26 EST --
This also affects cronjobs, as I reported in Bug #144064. That was reported on
FC3, which is more-or-less RHEL 4.
Comment 1 Bill Nottingham 2006-09-22 02:15:29 UTC 
Closing bugs in MODIFIED state from prior Fedora releases. If this bug persists
in a current Fedora release (such as Fedora Core 5 or later), please reopen and
set the version appropriately.
Note You need to log in before you can comment on or make changes to this bug.