Bug 538703 - ksu doesn't work
ksu doesn't work
Product: Fedora
Classification: Fedora
Component: krb5 (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2009-11-19 01:03 EST by Scott Schmit
Modified: 2009-12-04 19:00 EST (History)
2 users (show)

See Also:
Fixed In Version: 1.7-10.fc12
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2009-12-04 19:00:03 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Scott Schmit 2009-11-19 01:03:45 EST
Description of problem:
ksu doesn't work, even when (apparently) configured correctly (as compared to a Fedora 11 machine).

Version-Release number of selected component (if applicable):

How reproducible:
always, until workaround applied (see below)

Steps to Reproduce: (this is a minimalized case to allow for strace, the actual combination of source and destination user/principal doesn't really matter)
1. Fresh install
2. add realm / krb server config to /etc/krb5.conf
3. add host/<hostname> key to /etc/krb5.keytab
4. make sure that /etc/hosts is set in such a way that krb will pick up the right host principal
5. populate destination user .k5login with desired principal
6. as destination user: kinit as that principal
7. run ksu from the destination user to the destination user (feel free to adjust 5-7 to be more normal, I just ended with this to remove every variable I could think of)

Actual results:
ksu says everything is ok (authentication/authorization successful), then reports that access is denied and refuses to switch user.
/var/log/messages, /var/log/secure, /var/log/krb5kdc.log (on krb server) all report that ksu/kerberos authenticated/authorized the user successfully, no errors to report.

Expected results:
ksu changes your uid to the new user without error

Additional info:
It turns out that this is a problem in the PAM config: if I symlink su to ksu, ksu works. However, looking at my setup on an F11 box, this file doesn't exist, so it apparently wasn't required. Quite surprising and non-intuitive. I don't see anything in the RPM changelog to indicate that breaking ksu was deliberate (and I certainly hope it wasn't), so I'm pretty sure this is a bug. I imagine that either the symlink (or equivalent) needs to be added, or whatever other change that caused this should be reverted.
Comment 1 Nalin Dahyabhai 2009-11-20 10:54:22 EST
You're correct.  When I pulled up the patch to add PAM account and session management to ksu, I must have forgotten to add the PAM configuration.
Comment 2 Nalin Dahyabhai 2009-11-20 10:56:28 EST
Or rather, the PAM config was put into the krb5-workstation-servers package along with the rest of the ones that were already provided, rather than in krb5-workstation with ksu itself.  Mistake either way.
Comment 3 Fedora Update System 2009-11-20 11:37:27 EST
krb5-1.7-10.fc12 has been submitted as an update for Fedora 12.
Comment 4 Fedora Update System 2009-11-24 02:59:28 EST
krb5-1.7-10.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update krb5'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/F12/FEDORA-2009-12018
Comment 5 Fedora Update System 2009-12-04 18:59:59 EST
krb5-1.7-10.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.