Description of problem: If Satellite is using pam authentication, if in the DS or user database the password is marked as expired, the threads will just hang or segfault with messages like : -- From catalina.out: 2006-12-15 06:18:23,301 [TP-Processor8] WARN com.redhat.rhn.frontend.servlets.ContextFilter - timezone still null free(): invalid pointer 0xb75b7400! 2006-12-15 06:18:23,316 [TP-Processor8] WARN com.redhat.rhn.domain.user.legacy.LegacyRhnUserImpl - PAM login for user User jpam_test (id 3, org_id 1) failed with error User account has expired. -- After digging, we found out that the PAM_conv function used in jpam (even upstream) was extremelly weak not handling any style messages from PAM. Following two builds of jpam, we manage to fix the problem which was : if we get PAM_ERROR_MSG or PAM_TEXT_INFO, then notify and adapt strings. Version-Release number of selected component (if applicable): all of the jpam available. How reproducible: Always. Steps to Reproduce: 1. Setup a pam auth. 2. Expire the password 3. See it hanging when accessing with the account. Actual results: Hangs. Expected results: No Hangs. Additional info: Patch tested and in production fixing the problem. We will request a hotfix soon next week, please roll a new package. Jose
Created attachment 143848 [details] patch.
Created attachment 143862 [details] jpam-0.4-pam_conv.patch Ok this one is cleaner and easier to evolve / adapt. For the case default, there is a need to clean the messages. First patch fixes the problem, this one fixes it too, but customer has not tested it yet.
Created attachment 143866 [details] jpam-0.4-pam_conv.patch [small fix]
Created attachment 143972 [details] pam_conv fixing typo. Ok tested with kerberos.
Moving to ON_QA
I probably need some assistance with PAM... I keep getting Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]: authentication failure; logname= uid=91 euid=91 tty= ruser= rhost= user=testLogin Mar 26 15:08:24 fjs-0-13 rhn-satellite(pam_unix)[8121]: ERROR 0:Permission denied
[root@fjs-0-13 jpam-test]# export CLASSPATH=/usr/share/ant/lib/ant-nodeps.jar:/usr/share/java/jpam.jar:/usr/src/redhat/SPECS:/usr/share/java/commons-logging.jar:`pwd` [root@fjs-0-13 jpam-test]# date Thu Mar 29 10:49:19 EDT 2007 [root@fjs-0-13 jpam-test]# java SimplePam Loging start LOGIN SUCCESSFULL [root@fjs-0-13 jpam-test]# date Thu Mar 29 10:49:28 EDT 2007 [root@fjs-0-13 jpam-test]# rpm -q jpam jpam-0.4-9.rhel4
Created attachment 151202 [details] Test case
Wes, Ok network authentication works perfectly - however you need to gain root or cap_sys_admin priviledges to open/read /etc/shadow, hence you get EPERM. Checking the documentation it is said that the PAM authentication is meant to be for networking db's such as LDAP, NIS, Kerberos. Jose
waiting for webqa to come back up.. I'd rather not bustificate our only working sat on build 20
pam and rhn are working together... verified...
Ok patch sent and committed upstream for JPam 1.0. * http://jpam.sourceforge.net/changes-report.html#1.0 Jose
Closed for Satellite 500 Release.
*** Bug 213358 has been marked as a duplicate of this bug. ***