Bug 501144 - Netatalk installs naive PAM configuration
Netatalk installs naive PAM configuration
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: netatalk (Show other bugs)
rawhide
All Linux
low Severity medium
: ---
: ---
Assigned To: Jiri Skala
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-05-16 23:23 EDT by W. Michael Petullo
Modified: 2014-11-09 17:31 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-11-29 08:24:09 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2009-05-16 23:23:05 EDT
Description of problem:
My system authenticates against Kerberos. Netatalk's PAM configuration does not tie into the system-auth PAM configuration and only authenticates against pam_unix.so. As a result, Netatalk does not properly authenticate using Kerberos or any other more exotic authentication schemes that may be configured using authconfig.

Version-Release number of selected component (if applicable):
netatalk-2.0.3-23.fc10.i386

How reproducible:
Every time

Steps to Reproduce:
1. Configure a system to authenticate using Kerberos, LDAP, etc.
2. Install Netatalk and view /etc/pam.d/netatalk
  
Actual results:
Netatalk's PAM configuration only supports pam_unix.so.

Expected results:
Netatalk's PAM configuration should pull in system-auth.

Additional info:
A modified version of login's PAM configuration should work. Here is login's configuration:

#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    optional     pam_ck_connector.so
Comment 1 franklahm 2009-06-25 10:42:20 EDT
The PAM config file is obviously limited. I'd highly appreciate if you could
- push this issue upstream
- come up with a portable but complete PAM config which we can include upstream (if possible)

I'm currently working extensively on other Netatalk parts for 2.1 leaving no spare time for setting up a LDAP/Kerberos infrastructure.

Thanks!
Frank Lahm, Netatalk Developer
Comment 2 Bug Zapper 2009-11-18 06:58:08 EST
This message is a reminder that Fedora 10 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 10.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '10'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 10's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 10 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 3 W. Michael Petullo 2009-11-19 08:15:01 EST
In response to comment #1, the problem with pushing this upstream is that many distributions have different conventions for configuring PAM. For example, Fedora uses "auth  include  system-auth" but Debian used "@include common-auth." For recent discussion of this, see:

http://sourceforge.net/mailarchive/forum.php?thread_name=4242eef70911180611v4d717ef0q58c2fd0bb4a2853%40mail.gmail.com&forum_name=netatalk-devel

and the related responses.
Comment 4 franklahm 2009-11-19 08:27:09 EST
;) Take a close look at exactly _who_ has started that thread over there...

Regards,
Frank Lahm, Netatalk Developer
Comment 5 HAT 2009-11-19 09:37:11 EST
Hmm.
netatalk-2.0.4-3.fc12.src.rpm includes netatalk.pam-system-auth.

$ ls -l ~/rpmbuild/SOURCES/netatalk.pam-system-auth
-rw-r--r-- 1 hat users 334 2005-10-13 21:29 /home/hat/rpmbuild/SOURCES/netatalk.pam-system-auth

$ cat ~/rpmbuild/SOURCES/netatalk.pam-system-auth
# /etc/pam.d/netatalk
#
# PAM configuration file for netatalk using system-auth substack
# (this would enable use of netatalk by LDAP or NIS users).
#
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    include      system-auth


This file is not used at all.
Comment 6 Bug Zapper 2010-03-15 08:36:54 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 13 development cycle.
Changing version to '13'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 7 Bug Zapper 2011-06-02 14:05:18 EDT
This message is a reminder that Fedora 13 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 13.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '13'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 13's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 13 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping

Note You need to log in before you can comment on or make changes to this bug.