Description of problem: (Description from customer) The option "validate" is used for pam_krb5's auth module. When a user logs in with an expired passwd, pam_krb5 will request a ticket for kadmin/changepw instead of krbtgt. The ticket from kadmin/changepw can't be used to request a service ticket for a local host to verify the local host identity. As a result, the user authentication failed. Turning off "validate" works, but will decrease the security. The proper behavior should be: When pam_sm_authenticate request ticket for kadmin/changepw, it should not validate the local host identity. Then it should return PAM_NEW_AUTHTOK_REQD. When pam_sm_chauthtok is called, it should change the pwd, and use the new pwd to validate the local host. Version-Release number of selected component (if applicable): pam_krb5-1.79-1 How reproducible: Always Steps to Reproduce: 1) Build a RHEL 3 U9 box and make sure you are using the latest pam_krb5-1.79-1 package (behavior also occurs with older versions as well). 2) Add host key to kdc and add the generated key to the client's keytab file. addprinc -randkey host/hostname ktadd -k /etc/krb5.keytab host/hostname 3) Setup system-auth to do auth and password sections using pam_krb5. Add the 'validate' option to the auth section of the pam_krb5 module in system-auth. 4) Expire the user's password on the kdc. (modprinc -pwexpire "01/01" user03) 5) Try to log into the client, you will hit the condition in pam_krb5afs.c:2059: krc = krb5_verify_init_creds(context, &stash->v5_creds, NULL, NULL, NULL, NULL); if (krc == KRB5_SUCCESS) { INFO("TGT for %s successfully verified", user); } else { CRIT("TGT verification failed for `%s'"); } krb5_verify_init_creds will fail with the password changing credentials and the user will never be prompted for a password change. Actual results: Authentication failure Expected results: Authentication succeed after tgt validation. Additional info: Patch attached and fixing the issue, written by Paul Batkowski <pbatkowski>
Created attachment 296104 [details] pam_krb5-novalidate_on_cpw.patch <pbatkowski>
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0813.html