Bug 799007 - pam_krb5 seem to ignore KVNOs in /etc/krb5.keytab
pam_krb5 seem to ignore KVNOs in /etc/krb5.keytab
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam_krb5 (Show other bugs)
6.2
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
Depends On:
Blocks: 782183 1002711
  Show dependency treegraph
 
Reported: 2012-03-01 09:34 EST by Ondrej Valousek
Modified: 2015-09-18 09:55 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-09-18 09:55:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ondrej Valousek 2012-03-01 09:34:53 EST
Description of problem:

When logging in using Kerberos, module pam_krb5.so seems to validate the TGT using system Kerberos database (/etc/krb5.ketab). It usually ends up using the "host/" principal for this checks. This check works fine unless there are more "host/" principals in the system keytab file (for example some process is renewing them creating new principals with a higher KVNO) - in this case, pam_krb5.so seems to pick the first one only and the check will fail with the message like this:

pam_krb5[27045]: TGT failed verification using keytab and key for
'host/draco.prague.s3group.com@DUBLIN.AD.S3GROUP.COM': Wrong principal in
request

and the user login attempt is rejected.


Version-Release number of selected component (if applicable):
pam_krb5-2.3.11

How reproducible:
always
Comment 2 RHEL Product and Program Management 2012-07-10 04:16:24 EDT
This request was not resolved in time for the current release.
Red Hat invites you to ask your support representative to
propose this request, if still desired, for consideration in
the next release of Red Hat Enterprise Linux.
Comment 3 RHEL Product and Program Management 2012-07-10 21:53:10 EDT
This request was erroneously removed from consideration in Red Hat Enterprise Linux 6.4, which is currently under development.  This request will be evaluated for inclusion in Red Hat Enterprise Linux 6.4.
Comment 5 RHEL Product and Program Management 2012-09-07 01:31:31 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 6 RHEL Product and Program Management 2013-10-13 20:47:27 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated
in the current release, Red Hat is unable to address this
request at this time.

Red Hat invites you to ask your support representative to
propose this request, if appropriate, in the next release of
Red Hat Enterprise Linux.
Comment 9 Chris Williams 2015-09-18 09:55:58 EDT
This Bugzilla has been reviewed by Red Hat and is not planned on being addressed in Red Hat Enterprise Linux 6 and therefore will be closed. If this bug is critical to production systems, please contact your Red Hat support representative and provide sufficient business justification.

Note You need to log in before you can comment on or make changes to this bug.