Bug 18720 - Unable to authenticate with pam_krb5-1-19
Unable to authenticate with pam_krb5-1-19
Status: CLOSED RAWHIDE
Product: Red Hat Linux
Classification: Retired
Component: pam_krb5 (Show other bugs)
7.0
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Aaron Brown
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-10-09 11:38 EDT by Chris Rode
Modified: 2007-04-18 12:29 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-10-09 11:38:35 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Rode 2000-10-09 11:38:33 EDT
Using the default pam_krb5-1-19 shipped with Red Hat Linux 7.0, I am 
unable to authenticate to my kerberos realm.  Downgrading to pam_krb5-1-16 
fixes the problem.  With release 19, after I enter a username at the 
login: prompt, I do not get prompted for a password, I just get a failed 
login.

The messages in /var/log/secure:
Oct  6 11:19:48 vandyk xinetd[458]: START: telnet pid=7787 from=127.0.0.1
Oct  6 11:19:50 vandyk login: pam_krb5: get_config() called
Oct  6 11:19:50 vandyk login: pam_krb5: setting renewable lifetime to 36000
Oct  6 11:19:50 vandyk login: pam_krb5: setting ticket lifetime to 36000
Oct  6 11:19:50 vandyk login: pam_krb5: making tickets forwardable
Oct  6 11:19:50 vandyk login: pam_krb5: ticket directory is "/tmp"
Oct  6 11:19:50 vandyk login: pam_krb5: password-changing banner set 
to "Kerberos 5"
Oct  6 11:19:50 vandyk login: pam_krb5: krb4_convert false
Oct  6 11:19:50 vandyk login: pam_krb5: pam_sm_authenticate() called
Oct  6 11:19:50 vandyk login: pam_krb5: default Kerberos realm is 
MRDUCK.NET
Oct  6 11:19:50 vandyk login: pam_krb5: user is "electro"
Oct  6 11:19:50 vandyk login: pam_krb5: electro has uid 500, gid 500
Oct  6 11:19:50 vandyk login: pam_krb5: attempting to authenticate electro
Oct  6 11:19:50 vandyk login: pam_krb5: authenticate error: Cannot read 
password
Oct  6 11:19:50 vandyk login: pam_krb5: authentication fails for electro
Oct  6 11:19:50 vandyk login: pam_krb5: TGT for electro not verified (no 
required_tgs defined)
Oct  6 11:19:50 vandyk login: pam_krb5: saved return code (7) for later use
Oct  6 11:19:50 vandyk login: pam_krb5: pam_sm_authenticate returning 7 
(Authentication failure)

And the messages from /var/log/messages:
Oct  6 11:19:50 vandyk PAM_unix[7788]: auth could not identify password 
for [electro]
Oct  6 11:19:50 vandyk login[7788]: FAILED LOGIN 1 FROM 
localhost.localdomain FOR electro, Authentication failure

My /etc/pam.d/system-auth:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        sufficient    /lib/security/pam_krb5.so debug
auth        sufficient    /lib/security/pam_unix.so likeauth nullok md5 
shadow use_first_pass
auth        required      /lib/security/pam_deny.so
account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_deny.so
password    requisite     /lib/security/pam_cracklib.so retry=3 
type=MRDUCK.NET
password    sufficient    /lib/security/pam_krb5.so nullok use_authtok
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 
shadow
password    required      /lib/security/pam_deny.so
session     required      /lib/security/pam_limits.so
session     optional      /lib/security/pam_krb5.so
session     required      /lib/security/pam_unix.so
Comment 1 Nalin Dahyabhai 2000-10-10 13:57:19 EDT
Aaargh.  This should be fixed in 1-21, currently in
http://people.redhat.com/nalin/test/, slated for inclusion in the next Raw Hide
snapshot.
Comment 2 Chris Rode 2000-10-10 23:57:27 EDT
Thanks Nalin, the pam_krb5-1-21 release works like a charm. :)

Note You need to log in before you can comment on or make changes to this bug.