Bug 217944 - /etc/pam.d/system-auth-ac has wrong logic for kerberos
/etc/pam.d/system-auth-ac has wrong logic for kerberos
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
x86_64 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2006-11-30 15:58 EST by Tomasz Kepczynski
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-11-30 16:23:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Tomasz Kepczynski 2006-11-30 15:58:49 EST
Description of problem:
I've tried to set up workstation with kerberos single sign on
configured. Unfortunately /etc/pam.d/system-auth-ac created by
system-config-authentication has logic which prevents pam_krb5
from authenticating itself to a server. Please have a look:
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so
This means that after pam_unix authenticates user we leave pam
stack and authentication service provided by pam_krb5.so is never
called. As a result session service later on will not be able
to setup credentials for a user.

Version-Release number of selected component (if applicable):

How reproducible:

Actual results:
klist shows no credentials after logging in.

Expected results:
klist shows credentials after logging in.

Additional info:
This fault is related to bug #193335 which unfortunately was
closed as NOTABUG (which I strongly believe it is). It may also
relate to bug #179009.
Comment 1 Tomas Mraz 2006-11-30 16:23:09 EST
No, what you are trying to achieve is simply not possible. Or it is possible but
it has its own set of problems. Authconfig as a tool can choose only one of many
possible pam configurations and it is up to you to modify it if it doesn't suit
your needs.

What I mean is that the config generated by authconfig is perfectly OK when you
either don't have users authenticated by kerberos in the /etc/passwd at all but
they are in LDAP or NIS. Or they have a passwd entry but without a password set
there (or in /etc/shadow). Or you can have a different password in /etc/shadow
and in the kerberos and use the kerberos password normally and the /etc/shadow
one only when the kerberos server is unavailable.

Switching the order of the authentication modules would be possible but it would
have other problems like very long timeouts on authentication when disconnected
from network.

Note You need to log in before you can comment on or make changes to this bug.