Bug 79853 - updated pam_krb5 does not allow logins on console.
updated pam_krb5 does not allow logins on console.
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Depends On:
  Show dependency treegraph
Reported: 2002-12-17 11:07 EST by Stephen John Smoogen
Modified: 2007-11-30 17:06 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-02-24 14:07:39 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Stephen John Smoogen 2002-12-17 11:07:03 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Mozilla 4.79; X11; U; Linux i686; en-US;
rv:0.9.9) Gecko/20020513

Description of problem:
After applying all updates to a 7.3 and 8.0 machine we are not able to log into
the virtual consoles other than X. All logins except root are compared against
kerberos database using onetime keys from a cryptocard. Neither these nor root
accounts seem to be able to login.

After much head banging on my part, a co-worker made some changes to
/etc/pam.d/system-auth and logins were allowed again. The line seems to be the

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_krb5.so

changing this to "required" allowed non-root accounts to log in, but not the
root account. Making the final change to "sufficient" allowed for all accounts
to log in via console.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. update machine to latest RPMS
2. run authconfig
3. watch people not login

Additional info:

While we have a workaround, we are not sure it is the best thing since it is
breaking the 'way things were setup by Red Hat tools'.
Comment 1 Stephen John Smoogen 2003-02-14 01:28:20 EST
While I know no one seems to be reading these bug reports :)... I figured out
what the problem is:

authconfig puts in a line for /etc/pam.d/system-auth that does not seem to work
in our Kerberos environment.

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_krb5.so
This central part is causing our root logins to fail and our current fix is to
install a patched version that doesnt have this line in it.
Comment 2 Nalin Dahyabhai 2004-02-20 18:38:58 EST
Hmm. Setting the module to "sufficient" has the same effect as
removing the check completely (because a "required" module has already
succeeded at that point, libpam will ignore the failure code returned
by pam_krb5 if it is marked "sufficient").

Do your users have principals in Kerberos?  What error messages are
you getting from pam_krb5 when login fails?

Note You need to log in before you can comment on or make changes to this bug.