Bug 79853 - updated pam_krb5 does not allow logins on console.
Summary: updated pam_krb5 does not allow logins on console.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-17 16:07 UTC by Stephen John Smoogen
Modified: 2007-11-30 22:06 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-02-24 19:07:39 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Stephen John Smoogen 2002-12-17 16:07:03 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Mozilla 4.79; X11; U; Linux i686; en-US;
rv:0.9.9) Gecko/20020513

Description of problem:
After applying all updates to a 7.3 and 8.0 machine we are not able to log into
the virtual consoles other than X. All logins except root are compared against
kerberos database using onetime keys from a cryptocard. Neither these nor root
accounts seem to be able to login.

After much head banging on my part, a co-worker made some changes to
/etc/pam.d/system-auth and logins were allowed again. The line seems to be the
following:

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_krb5.so

changing this to "required" allowed non-root accounts to log in, but not the
root account. Making the final change to "sufficient" allowed for all accounts
to log in via console.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. update machine to latest RPMS
2. run authconfig
3. watch people not login
    

Additional info:

While we have a workaround, we are not sure it is the best thing since it is
breaking the 'way things were setup by Red Hat tools'.

Comment 1 Stephen John Smoogen 2003-02-14 06:28:20 UTC
While I know no one seems to be reading these bug reports :)... I figured out
what the problem is:

authconfig puts in a line for /etc/pam.d/system-auth that does not seem to work
in our Kerberos environment.

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_krb5.so
 
This central part is causing our root logins to fail and our current fix is to
install a patched version that doesnt have this line in it.

Comment 2 Nalin Dahyabhai 2004-02-20 23:38:58 UTC
Hmm. Setting the module to "sufficient" has the same effect as
removing the check completely (because a "required" module has already
succeeded at that point, libpam will ignore the failure code returned
by pam_krb5 if it is marked "sufficient").

Do your users have principals in Kerberos?  What error messages are
you getting from pam_krb5 when login fails?


Note You need to log in before you can comment on or make changes to this bug.