Bug 182239 - RFE: Implement V5->V4 credential conversion using "external" in pam_krb5
Summary: RFE: Implement V5->V4 credential conversion using "external" in pam_krb5
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
(Show other bugs)
Version: rawhide
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL:
Whiteboard:
Keywords: Reopened
Depends On:
Blocks: 201265
TreeView+ depends on / blocked
 
Reported: 2006-02-21 10:49 UTC by Jon Fautley
Modified: 2007-11-30 22:11 UTC (History)
2 users (show)

Fixed In Version: 2.2.9-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-19 21:04:59 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
proposed patch (2.85 KB, patch)
2006-04-25 14:23 UTC, Jan Iven
no flags Details | Diff

Description Jon Fautley 2006-02-21 10:49:02 UTC
Implement V5->V4 credential cache conversion in pam_krb5 when using the
"external" option so they can forward v4 credentials to their AFS server.

This is for the 2.2-branch of the pam_krb5 module.

Comment 1 Nalin Dahyabhai 2006-02-23 19:04:59 UTC
This should be implemented in pam_krb5 2.2.7 and later.  Closing with resolution
RAWHIDE even if it won't be there just yet due to the FC5 freeze.

Comment 2 Jan Iven 2006-04-25 08:16:56 UTC
This feature does not quite work as expected yet for the case where the K5
principal does not match the local account name. In this case, the "converted"
credentials (Krb4 and AFS) are obtained for the local account principal and are
nonfunctional.
Easy example: "ssh root@machine" ends up with a (nonworking) Krb4 TGT for
root@REALM instead of the converted user@REALM.

Appears to be due to mixing info from the krb5 "stash" with the "userinfo"
converted principal after an existing Krb5 ccache is read back.

Please reopen..
Thanks
Jan

Comment 3 Jan Iven 2006-04-25 14:23:52 UTC
Created attachment 128204 [details]
proposed patch

proposed patch that overrides the userinfo->principal when reading in an
"external" KRB5CCNAME.

Comment 8 Jon Fautley 2006-11-01 11:27:10 UTC
Looking through the changelog for pam_krb5 in FC6, this was fixed as of 2.2.9-1
- shouldn't this BZ be closed now? :)

Cheers,

/j

Comment 9 Nalin Dahyabhai 2007-07-19 21:04:59 UTC
Er, yes, it should.  Closing.


Note You need to log in before you can comment on or make changes to this bug.