From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Mozilla 4.79; X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020513 Description of problem: After applying all updates to a 7.3 and 8.0 machine we are not able to log into the virtual consoles other than X. All logins except root are compared against kerberos database using onetime keys from a cryptocard. Neither these nor root accounts seem to be able to login. After much head banging on my part, a co-worker made some changes to /etc/pam.d/system-auth and logins were allowed again. The line seems to be the following: account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_krb5.so changing this to "required" allowed non-root accounts to log in, but not the root account. Making the final change to "sufficient" allowed for all accounts to log in via console. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. update machine to latest RPMS 2. run authconfig 3. watch people not login Additional info: While we have a workaround, we are not sure it is the best thing since it is breaking the 'way things were setup by Red Hat tools'.
While I know no one seems to be reading these bug reports :)... I figured out what the problem is: authconfig puts in a line for /etc/pam.d/system-auth that does not seem to work in our Kerberos environment. account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so This central part is causing our root logins to fail and our current fix is to install a patched version that doesnt have this line in it.
Hmm. Setting the module to "sufficient" has the same effect as removing the check completely (because a "required" module has already succeeded at that point, libpam will ignore the failure code returned by pam_krb5 if it is marked "sufficient"). Do your users have principals in Kerberos? What error messages are you getting from pam_krb5 when login fails?