Description of problem: ksu had pam support added with bug 477033. It's occasionally failing with an error, "Error opening session for <USERNAME>". Adding "[ksu] { use_pam = false }" to /etc/krb5.conf "fixes" the problem by disabling pam usage, but this also removes the other pam modules from the mix like pam_access. Version-Release number of selected component (if applicable): krb5-workstation-1.6.1-36.el5_4.1.x86_64 How reproducible: occasionally Steps to Reproduce: 1. configure system for kerberos 2. ksu username Actual results: Error opening session for <USERNAME> Expected results: become the <USERNAME> user
Created attachment 417384 [details] proposed patch This moves the pam_session_open() call earlier, to do it before switching to the target user's privileges. Incorporates currently-proposed changes for bug #540769 because they're intertwined.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on therefore solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2011-0098.html