Bug 428930 - pam_ccreds: failed to open cached credentials
pam_ccreds: failed to open cached credentials
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: pam_ccreds (Show other bugs)
7
All Linux
low Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-01-15 22:20 EST by Wilmer Jaramillo M.
Modified: 2008-01-18 09:18 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-01-18 09:18:10 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Wilmer Jaramillo M. 2008-01-15 22:20:01 EST
Description of problem:
I have working a LDAP Directory Server,  I have found in the
pam_ccreds for stores the cached password and nss_updatedb for the user/group
information, now I'm trying to configure all on Fedora 7, I edit
/etc/pam.d/system-auth and /etc/nsswitch.conf files definition[1]
according, neverthless a readable error messages in log files
when a logging user action ocurrs.

Version-Release number of selected component (if applicable):
glibc-2.6-3
pam_ccreds-4-2.fc7

How reproducible:
Steps to Reproduce:
1. Install pam_ccreds via yum.
2. Configure /etc/nsswitch.conf and /etc/pam.d/system-auth files definition
according[1].
3. Try a logging user action with login, gdm or kdm applications.
  
Actual results:
The login is successfull but the module cannot retrieve credentials info, a
readable error messages in /var/log/messages:

Jan 15 13:22:04 localhost cc_dump: pam_ccreds: failed to open cached
credentials "/var/cache/.security.db": No such file or directory
Jan 15 13:34:52 localhost cc_dump: pam_ccreds: failed to open cached
credentials "/var/cache/.security.db": No such file or directory
Jan 15 13:52:18 localhost cc_dump: pam_ccreds: failed to open cached
credentials "/var/cache/.security.db": No such file or directory

Later manually I run the CLI 'cc_dump' and produces a error message:
'pam_cc_start failed: Error in service module' in the log files repeats the message:
Jan 15 13:58:03 localhost cc_dump: pam_ccreds: failed to open cached
credentials "/var/cache/.security.db": No such file or directory

Expected results:
With login appplication a message saying: "You have been logged on using cached
credentials"

Additional info:
[1] Config files:
 http://wilmer.fedorapeople.org/files/bugzilla/nsswitch.conf
 http://wilmer.fedorapeople.org/files/bugzilla/system-auth
Comment 1 Tomas Mraz 2008-01-16 03:06:51 EST
Do you have SELinux enabled and enforcing?
Please first try to login when ldap server is available. Then look for AVCs with
ausearch or by directly looking into /var/log/audit/audit.log. If there are
some, please post them here.
Comment 2 Wilmer Jaramillo M. 2008-01-16 11:48:53 EST
The current SELinux mode and related services(setroubleshoot)is disable.

Comment 3 Tomas Mraz 2008-01-16 12:49:38 EST
So please first try login with ldap server available and see whether there are
any related messages in /var/log/secure and /var/log/messages. Then look whether
the file /var/cache/.security.db was created or not.
Comment 4 Wilmer Jaramillo M. 2008-01-18 09:18:10 EST
(In reply to comment #3)
> So please first try login with ldap server available and see whether there are
> any related messages in /var/log/secure and /var/log/messages. Then look whether
> the file /var/cache/.security.db was created or not.
> 

After of your suggestions the database was created, neverthless, I get an error
immediately after "You have been logged on using cached credentials" saying
"Authentication service cannot retrieve authentication info" in log files,
playing with pam and googling I make some aditional on system-auth file:

--- /etc/pam.d/system-auth      2008-01-18 09:36:46.000000000 -0430
+++ system-auth 2008-01-18 09:40:39.000000000 -0430
@@ -3,13 +3,16 @@
 # User changes will be destroyed the next time authconfig is run.
 auth        required      pam_env.so
 auth        sufficient    pam_unix.so nullok try_first_pass
-auth        sufficient    pam_ldap.so use_first_pass
-auth        required      pam_deny.so
+auth    [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
+auth    [default=done]  pam_ccreds.so action=validate use_first_pass
+auth    [default=done]  pam_ccreds.so action=store
+auth    [default=done]   pam_ccreds.so action=update
+auth     required      pam_deny.so
 
-account     required      pam_unix.so broken_shadow
+account     [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so
 account     sufficient    pam_localuser.so
 account     sufficient    pam_succeed_if.so uid < 500 quiet
-account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
+account     [user_unknown=ignore authinfo_unavail=ignore default=done] pam_ldap.so
 account     required      pam_permit.so
 
 password    requisite     pam_cracklib.so try_first_pass retry=3

Now credentials are working properly, Thank for you interest.

Note You need to log in before you can comment on or make changes to this bug.