Bug 538703 - ksu doesn't work
Summary: ksu doesn't work
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-19 06:03 UTC by Scott Schmit
Modified: 2009-12-05 00:00 UTC (History)
2 users (show)

Fixed In Version: 1.7-10.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-12-05 00:00:03 UTC
Type: ---
Embargoed:

Attachments (Terms of Use)

Description Scott Schmit 2009-11-19 06:03:45 UTC 
Description of problem:
ksu doesn't work, even when (apparently) configured correctly (as compared to a Fedora 11 machine).

Version-Release number of selected component (if applicable):
krb5-workstation-1.7-8.fc12.x86_64

How reproducible:
always, until workaround applied (see below)

Steps to Reproduce: (this is a minimalized case to allow for strace, the actual combination of source and destination user/principal doesn't really matter)
1. Fresh install
2. add realm / krb server config to /etc/krb5.conf
3. add host/<hostname> key to /etc/krb5.keytab
4. make sure that /etc/hosts is set in such a way that krb will pick up the right host principal
5. populate destination user .k5login with desired principal
6. as destination user: kinit as that principal
7. run ksu from the destination user to the destination user (feel free to adjust 5-7 to be more normal, I just ended with this to remove every variable I could think of)

Actual results:
ksu says everything is ok (authentication/authorization successful), then reports that access is denied and refuses to switch user.
/var/log/messages, /var/log/secure, /var/log/krb5kdc.log (on krb server) all report that ksu/kerberos authenticated/authorized the user successfully, no errors to report.

Expected results:
ksu changes your uid to the new user without error

Additional info:
It turns out that this is a problem in the PAM config: if I symlink su to ksu, ksu works. However, looking at my setup on an F11 box, this file doesn't exist, so it apparently wasn't required. Quite surprising and non-intuitive. I don't see anything in the RPM changelog to indicate that breaking ksu was deliberate (and I certainly hope it wasn't), so I'm pretty sure this is a bug. I imagine that either the symlink (or equivalent) needs to be added, or whatever other change that caused this should be reverted.
Comment 1 Nalin Dahyabhai 2009-11-20 15:54:22 UTC 
You're correct.  When I pulled up the patch to add PAM account and session management to ksu, I must have forgotten to add the PAM configuration.
Comment 2 Nalin Dahyabhai 2009-11-20 15:56:28 UTC 
Or rather, the PAM config was put into the krb5-workstation-servers package along with the rest of the ones that were already provided, rather than in krb5-workstation with ksu itself.  Mistake either way.
Comment 3 Fedora Update System 2009-11-20 16:37:27 UTC 
krb5-1.7-10.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/krb5-1.7-10.fc12
Comment 4 Fedora Update System 2009-11-24 07:59:28 UTC 
krb5-1.7-10.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update krb5'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12018
Comment 5 Fedora Update System 2009-12-04 23:59:59 UTC 
krb5-1.7-10.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.