Red Hat Bugzilla – Bug 538703
ksu doesn't work
Last modified: 2009-12-04 19:00:03 EST
Description of problem:
ksu doesn't work, even when (apparently) configured correctly (as compared to a Fedora 11 machine).
Version-Release number of selected component (if applicable):
always, until workaround applied (see below)
Steps to Reproduce: (this is a minimalized case to allow for strace, the actual combination of source and destination user/principal doesn't really matter)
1. Fresh install
2. add realm / krb server config to /etc/krb5.conf
3. add host/<hostname> key to /etc/krb5.keytab
4. make sure that /etc/hosts is set in such a way that krb will pick up the right host principal
5. populate destination user .k5login with desired principal
6. as destination user: kinit as that principal
7. run ksu from the destination user to the destination user (feel free to adjust 5-7 to be more normal, I just ended with this to remove every variable I could think of)
ksu says everything is ok (authentication/authorization successful), then reports that access is denied and refuses to switch user.
/var/log/messages, /var/log/secure, /var/log/krb5kdc.log (on krb server) all report that ksu/kerberos authenticated/authorized the user successfully, no errors to report.
ksu changes your uid to the new user without error
It turns out that this is a problem in the PAM config: if I symlink su to ksu, ksu works. However, looking at my setup on an F11 box, this file doesn't exist, so it apparently wasn't required. Quite surprising and non-intuitive. I don't see anything in the RPM changelog to indicate that breaking ksu was deliberate (and I certainly hope it wasn't), so I'm pretty sure this is a bug. I imagine that either the symlink (or equivalent) needs to be added, or whatever other change that caused this should be reverted.
You're correct. When I pulled up the patch to add PAM account and session management to ksu, I must have forgotten to add the PAM configuration.
Or rather, the PAM config was put into the krb5-workstation-servers package along with the rest of the ones that were already provided, rather than in krb5-workstation with ksu itself. Mistake either way.
krb5-1.7-10.fc12 has been submitted as an update for Fedora 12.
krb5-1.7-10.fc12 has been pushed to the Fedora 12 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update krb5'. You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12018
krb5-1.7-10.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.