Red Hat Bugzilla – Bug 217944
/etc/pam.d/system-auth-ac has wrong logic for kerberos
Last modified: 2007-11-30 17:11:50 EST
Description of problem:
I've tried to set up workstation with kerberos single sign on
configured. Unfortunately /etc/pam.d/system-auth-ac created by
system-config-authentication has logic which prevents pam_krb5
from authenticating itself to a server. Please have a look:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_krb5.so use_first_pass
auth required pam_deny.so
This means that after pam_unix authenticates user we leave pam
stack and authentication service provided by pam_krb5.so is never
called. As a result session service later on will not be able
to setup credentials for a user.
Version-Release number of selected component (if applicable):
klist shows no credentials after logging in.
klist shows credentials after logging in.
This fault is related to bug #193335 which unfortunately was
closed as NOTABUG (which I strongly believe it is). It may also
relate to bug #179009.
No, what you are trying to achieve is simply not possible. Or it is possible but
it has its own set of problems. Authconfig as a tool can choose only one of many
possible pam configurations and it is up to you to modify it if it doesn't suit
What I mean is that the config generated by authconfig is perfectly OK when you
either don't have users authenticated by kerberos in the /etc/passwd at all but
they are in LDAP or NIS. Or they have a passwd entry but without a password set
there (or in /etc/shadow). Or you can have a different password in /etc/shadow
and in the kerberos and use the kerberos password normally and the /etc/shadow
one only when the kerberos server is unavailable.
Switching the order of the authentication modules would be possible but it would
have other problems like very long timeouts on authentication when disconnected