Bug 72290 - authconfig breaks site-based krb.conf when run without any changes
authconfig breaks site-based krb.conf when run without any changes
Product: Fedora
Classification: Fedora
Component: authconfig (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2002-08-22 15:03 EDT by Need Real Name
Modified: 2007-11-30 17:10 EST (History)
1 user (show)

See Also:
Fixed In Version: authconfig-5.1.0-1
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-12-17 07:53:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Need Real Name 2002-08-22 15:03:37 EDT
From Bugzilla Helper:

User-Agent: Mozilla/4.0 (compatible; MSIE 5.21; Mac_PowerPC)

Description of problem:

When authconfig is run and LDAP is configured, or nothing is changed at all (simply run 
with <next> and <ok>), it writes back krb5.conf and krb.conf even if those files were not 
selected/altered in authconfig. For krb4 sites the krb5.conf entries and krb.conf (v4) are 
merged into a new krb.conf with both, breaking clients.

Version-Release number of selected component (if applicable):

at least 4.2.8-4

How reproducible:


Steps to Reproduce:

1. Have krb5 info in /etc/krb5.conf, krb4 info in /etc/krb.conf

2. run authconfig, select <next> and then <ok>. Exit.

3. /etc/krb.conf  now contains krb5.conf information at the top

Actual Results:  kinit results in incorrect password after using authconfig. Files were 
altered by authconfig even though not toggled in the utility.

Expected Results:  requests should have been forwarded to Krb4 servers (which are now 
listed later in /etc/krb.conf). Specifically, authconfig read in Kerberos files and wrote them 
back EVEN THOUGH no changes were made. It should not do this. First detected when 
trying to set LDAP information, and Krb info was altered too!

Additional info:

For sites with site-wide configuration files (Stanford, MIT, UMich, etc) that still use 
Kerberos v4 as well as v5, the v4 applications now fail because krb.conf is munged.

sample pre authconfig krb.conf file:

IR.STANFORD.EDU auth1.stanford.edu admin server
IR.STANFORD.EDU auth2.stanford.edu admin server
IR.STANFORD.EDU auth3.stanford.edu admin server

sample post authconfig krb.conf file:

stanford.edu    krb5auth1.stanford.edu:88
stanford.edu    krb5auth2.stanford.edu:88
stanford.edu    krb5auth3.stanford.edu:88
stanford.edu    krb5-admin.stanford.edu admin server
IR.STANFORD.EDU auth2.stanford.edu admin server
IR.STANFORD.EDU auth3.stanford.edu admin server

I consider this a security issue since it affects authorization systems. Once authconfig is 
run and ticket-grabbing background applications silently fail to acquire tickets during 
login, desktop network services assumed to be secure by end users may in fact be in 
clear text.
Comment 1 Tomas Mraz 2004-11-11 14:13:25 EST
This is actually a feature of authconfig. A bad feature and I agree it
should be fixed. 
Comment 2 Tomas Mraz 2005-08-23 10:07:30 EDT
It is questionable if authconfig should mess with krb.conf at all.
However at least it shouldn't overwrite it if no configuration changes were done
in the Kerberos settings.
Comment 3 Tomas Mraz 2005-12-17 07:53:36 EST
So I've finally fixed it. If no kerberos settings are changed the krb.conf (and
krb5.conf) files aren't overwritten.

Note You need to log in before you can comment on or make changes to this bug.