Bug 747015 - Implementing PAM Authentication with kerberos needs to specify 'realm' within the /etc/pam.d/rhn-satellite
Implementing PAM Authentication with kerberos needs to specify 'realm' within...
Status: CLOSED DUPLICATE of bug 739582
Product: Red Hat Satellite 5
Classification: Red Hat
Component: Docs Installation Guide (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Lana Brindley
Depends On:
Blocks: sat54-docs
  Show dependency treegraph
Reported: 2011-10-18 11:12 EDT by Ricky Nelson
Modified: 2013-10-23 19:25 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-10-25 20:50:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Ricky Nelson 2011-10-18 11:12:15 EDT
Description of problem:
When following '8.10 Implementing PAM Authentication' from the Satellite 5.4 installation guide the following example is given to show authentication against Kerberos:

As an example, for a Red Hat Enterprise Linux 5 i386 system, to authenticate against Kerberos one could put the following in /etc/pam.d/rhn-satellite:

auth        required      pam_env.so
auth        sufficient    pam_krb5.so no_user_check
auth        required      pam_deny.so
account     required      pam_krb5.so no_user_check

However the above entries do not allow authentication against Kerberos to function. Authentication fails with a check against the 'EXAMPLE.COM' realm instead of what is specified within /etc/krb5.conf.

If you specify the 'realm' on the 'auth' and 'account' lines though, authentication is successful through the correct realm.

Version-Release number of selected component (if applicable):

How reproducible:
Follow the installation guide

Actual results:
When looking at /var/log/secure after an attempt to log in to the Satellite Web UI:

Oct 17 09:33:35 hostname IBM Java[4935]: pam_krb5[4935]: authentication fails for 'username' (username@EXAMPLE.COM): Authentication service cannot retrieve authentication info (Cannot resolve network address for KDC in requested realm)

Expected results:
After specifying 'realm', within /var/log/secure:

Oct 18 16:33:47 hostname IBM Java[19225]: pam_krb5[19225]: TGT verified
Oct 18 16:33:47 hostname IBM Java[19225]: pam_krb5[19225]: authentication succeeds for 'username' (username@:YOUR.DOMAIN.COM)

Note You need to log in before you can comment on or make changes to this bug.