Bug 747015 - Implementing PAM Authentication with kerberos needs to specify 'realm' within the /etc/pam.d/rhn-satellite
Summary: Implementing PAM Authentication with kerberos needs to specify 'realm' within...
Keywords:
Status: CLOSED DUPLICATE of bug 739582
Alias: None
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Docs Installation Guide
Version: 541
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Lana Brindley
QA Contact: ecs-bugs
URL:
Whiteboard:
Depends On:
Blocks: sat54-docs
TreeView+ depends on / blocked
 
Reported: 2011-10-18 15:12 UTC by Ricky Nelson
Modified: 2018-11-14 10:14 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-26 00:50:05 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)

Description Ricky Nelson 2011-10-18 15:12:15 UTC
Description of problem:
When following '8.10 Implementing PAM Authentication' from the Satellite 5.4 installation guide the following example is given to show authentication against Kerberos:

==========
As an example, for a Red Hat Enterprise Linux 5 i386 system, to authenticate against Kerberos one could put the following in /etc/pam.d/rhn-satellite:

#%PAM-1.0
auth        required      pam_env.so
auth        sufficient    pam_krb5.so no_user_check
auth        required      pam_deny.so
account     required      pam_krb5.so no_user_check
==========

However the above entries do not allow authentication against Kerberos to function. Authentication fails with a check against the 'EXAMPLE.COM' realm instead of what is specified within /etc/krb5.conf.

If you specify the 'realm' on the 'auth' and 'account' lines though, authentication is successful through the correct realm.

Version-Release number of selected component (if applicable):
5.4.1

How reproducible:
Follow the installation guide

Actual results:
When looking at /var/log/secure after an attempt to log in to the Satellite Web UI:

Oct 17 09:33:35 hostname IBM Java[4935]: pam_krb5[4935]: authentication fails for 'username' (username): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)


Expected results:
After specifying 'realm', within /var/log/secure:

Oct 18 16:33:47 hostname IBM Java[19225]: pam_krb5[19225]: TGT verified
Oct 18 16:33:47 hostname IBM Java[19225]: pam_krb5[19225]: authentication succeeds for 'username' (username@:YOUR.DOMAIN.COM)


Note You need to log in before you can comment on or make changes to this bug.