Bug 182239 - RFE: Implement V5->V4 credential conversion using "external" in pam_krb5
RFE: Implement V5->V4 credential conversion using "external" in pam_krb5
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
: Reopened
Depends On:
Blocks: 201265
  Show dependency treegraph
 
Reported: 2006-02-21 05:49 EST by Jon Fautley
Modified: 2007-11-30 17:11 EST (History)
2 users (show)

See Also:
Fixed In Version: 2.2.9-1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-07-19 17:04:59 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
proposed patch (2.85 KB, patch)
2006-04-25 10:23 EDT, Jan Iven
no flags Details | Diff

  None (edit)
Description Jon Fautley 2006-02-21 05:49:02 EST
Implement V5->V4 credential cache conversion in pam_krb5 when using the
"external" option so they can forward v4 credentials to their AFS server.

This is for the 2.2-branch of the pam_krb5 module.
Comment 1 Nalin Dahyabhai 2006-02-23 14:04:59 EST
This should be implemented in pam_krb5 2.2.7 and later.  Closing with resolution
RAWHIDE even if it won't be there just yet due to the FC5 freeze.
Comment 2 Jan Iven 2006-04-25 04:16:56 EDT
This feature does not quite work as expected yet for the case where the K5
principal does not match the local account name. In this case, the "converted"
credentials (Krb4 and AFS) are obtained for the local account principal and are
nonfunctional.
Easy example: "ssh root@machine" ends up with a (nonworking) Krb4 TGT for
root@REALM instead of the converted user@REALM.

Appears to be due to mixing info from the krb5 "stash" with the "userinfo"
converted principal after an existing Krb5 ccache is read back.

Please reopen..
Thanks
Jan
Comment 3 Jan Iven 2006-04-25 10:23:52 EDT
Created attachment 128204 [details]
proposed patch

proposed patch that overrides the userinfo->principal when reading in an
"external" KRB5CCNAME.
Comment 8 Jon Fautley 2006-11-01 06:27:10 EST
Looking through the changelog for pam_krb5 in FC6, this was fixed as of 2.2.9-1
- shouldn't this BZ be closed now? :)

Cheers,

/j
Comment 9 Nalin Dahyabhai 2007-07-19 17:04:59 EDT
Er, yes, it should.  Closing.

Note You need to log in before you can comment on or make changes to this bug.