Bug 830301 - When desktop is configured to allow ldap/kerberos/smart card login, stopping network service triggers Firefox crash and unable to login to desktop after a logout.
When desktop is configured to allow ldap/kerberos/smart card login, stopping ...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: nss_ldap (Show other bugs)
5.9
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Nalin Dahyabhai
BaseOS QE Security Team
:
: 1096983 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-08 15:21 EDT by Asha Akkiangady
Modified: 2014-05-15 10:37 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-07-02 13:50:05 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Firefox debugger output when network service is stopped. (3.10 KB, text/plain)
2012-06-08 15:21 EDT, Asha Akkiangady
no flags Details
Complete firefox debug messages. (30.38 KB, text/plain)
2012-06-08 17:14 EDT, Asha Akkiangady
no flags Details
Firefox debugger output after 30 seconds wait when network service is stopped. (29.97 KB, text/plain)
2012-06-11 13:26 EDT, Asha Akkiangady
no flags Details

  None (edit)
Description Asha Akkiangady 2012-06-08 15:21:35 EDT
Created attachment 590495 [details]
Firefox debugger output when network service is stopped.

Description of problem:
When desktop is configured to allow ldap/kerberos/smart card login, stopping network service triggers Firefox crash and unable to login to desktop after a logout.

Version-Release number of selected component (if applicable):
nss_ldap-253-49.el5
pam_krb5-2.2.14-22.el5
pam_pkcs11-0.5.3-26.el5
krb5-libs-1.6.1-70.el5
gdm-2.16.0-59.el5

How reproducible:


Steps to Reproduce:
1. Configure desktop with Enable LDAP support, Enable Kerberos support and Enable smart card support. Ldap user's home directory in /home/ is able to login with Kerberos and a Smart card. Logout ldap user.

2. Login as a local user who is in /etc/passwd and the home directory is in /home/.

3. As a root, stop network service (service network stop).

4. Start Firefox application. 
  
Actual results:
Firefox crash. 
Logout user using menu item System-> Log Out user, a Login screen is displayed asking for a user name. Enter username. Enter password when requested. It hangs and unable to Login. Can login to desktop only after a fresh boot.

Expected results:
Firefox should not crash. Login after a logout operation should be successful.

Additional info:
No log messages of FF crash in /var/log/messages or /var/log/secure. Attached Fefirefox debugger output.

When logged in as a LDAP/Kerberos user with a smart card who's home directory is /home/, stopping network service triggers Firefox to crash when started, logout operation hangs -- red screen is displayed with a spinner at the mouse pointer. Can login to desktop only after a fresh boot.
Comment 1 Nalin Dahyabhai 2012-06-08 15:48:42 EDT
Which debuginfo packages are installed?  Are they installed for all of firefox's dependencies as well?  The gdb prompt appears to have been paging its output, and only the first screen of the backtrace is there.  Is there more to that backtrace?  What are the other threads doing?

When you're not able to log in, what messages are being logged?  Is gdm logging anything relevant in its logs under /var/gdm?  What does the user's certificate look like?  Does it point to an OCSP responder?  Which pam_pkcs11 mappers are being used?  Is login failing because the client can't contact the KDC, or is there something else going on?
Comment 2 Asha Akkiangady 2012-06-08 17:12:47 EDT
(In reply to comment #1)
> Which debuginfo packages are installed?  Are they installed for all of
> firefox's dependencies as well?  
firefox-debuginfo-10.0.5-1.el5_8 and all its dependents are installed.

The gdb prompt appears to have been paging
> its output, and only the first screen of the backtrace is there.  Is there
> more to that backtrace?  What are the other threads doing?
> 
Sorry, missed the rest of the thread info, attached the complete backtrace (FF_debugger_complete_info.txt)

> When you're not able to log in, what messages are being logged?  
/var/log/secure has this:
Jun  8 16:41:29 dhcp231-57 gdm[4361]: pam_pkcs11(gdm:auth): no suitable token available
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: configured realm 'EXAMPLE.COM'
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flags: forwardable
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no ignore_afs
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: user_check
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no krb4_convert
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: krb4_convert_524
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: krb4_use_as_req
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will try previously set password first
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will ask for a password if that fails
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will let libkrb5 ask questions
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no use_shmem
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no external
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no multiple_ccaches
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: validate
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: warn
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: ticket lifetime: 1920
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: renewable lifetime: 0
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: banner: Kerberos 5
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: ccache dir: /tmp
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: keytab: FILE:/etc/krb5.keytab
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: user 'mytest' was not authenticated by pam_krb5, returning "User not known to the underlying authentication module"
Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: pam_acct_mgmt returning 10 (User not known to the underlying authentication module)

Is gdm
> logging anything relevant in its logs under /var/gdm?  
/var/log/gdm shows these messages:

(==) Log file: "/var/log/Xorg.0.log", Time: Fri Jun  8 16:41:25 2012
(==) Using config file: "/etc/X11/xorg.conf"
The XKEYBOARD keymap compiler (xkbcomp) reports:
> Warning:          Multiple symbols for level 1/group 1 on key <I5F>
>                   Using XF86Sleep, ignoring XF86Standby
> Warning:          Symbol map for key <I5F> redefined
>                   Using last definition for conflicting fields
Errors from xkbcomp are not fatal to the X server


What does the user's
> certificate look like?  Does it point to an OCSP responder? 
OCSP checking is not enabled. A local desktop user is logged in with a password, so no user certificate involved.


 Which
> pam_pkcs11 mappers are being used?  

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    optional      pam_pkcs11.so
password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so


Is login failing because the client
> can't contact the KDC, or is there something else going on?

The user I'm trying to login is local user. When Kerberos auth is failing, shudn't it fall into local /etc/passwd based auth?
Comment 3 Asha Akkiangady 2012-06-08 17:14:07 EDT
Created attachment 590518 [details]
Complete firefox debug messages.
Comment 4 Nalin Dahyabhai 2012-06-08 18:07:26 EDT
(In reply to comment #2)
> (In reply to comment #1)
> > Which debuginfo packages are installed?  Are they installed for all of
> > firefox's dependencies as well?  
> firefox-debuginfo-10.0.5-1.el5_8 and all its dependents are installed.

That's not always going to be the same thing, but I can see that thread 1 is waiting for a reply via the system message bus, either from the bus daemon itself or with NetworkManager.  Is NetworkManager running?  If you let the process continue for about 30 seconds and then check the backtrace then, is it still waiting?

> > When you're not able to log in, what messages are being logged?  
> /var/log/secure has this:
> Jun  8 16:41:29 dhcp231-57 gdm[4361]: pam_pkcs11(gdm:auth): no suitable
> token available
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: configured realm
> 'EXAMPLE.COM'
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flags: forwardable
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no ignore_afs
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: user_check
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no krb4_convert
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: krb4_convert_524
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: krb4_use_as_req
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will try previously
> set password first
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will ask for a
> password if that fails
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will let libkrb5 ask
> questions
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no use_shmem
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no external
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no
> multiple_ccaches
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: validate
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: warn
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: ticket lifetime: 1920
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: renewable lifetime: 0
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: banner: Kerberos 5
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: ccache dir: /tmp
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: keytab:
> FILE:/etc/krb5.keytab
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: user 'mytest' was not
> authenticated by pam_krb5, returning "User not known to the underlying
> authentication module"
> Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: pam_acct_mgmt
> returning 10 (User not known to the underlying authentication module)

That pam_krb5's "account" function is being called suggests that the "auth" stack succeeded, and wherever things are getting derailed, it's happening after these messages are logged.  Is there any mention of the session being opened?  If it's just hanging there, what's gdm (or an authentication subprocess) doing at the time?

> > Is gdm logging anything relevant in its logs under /var/gdm?  
> /var/log/gdm shows these messages:
> 
> (==) Log file: "/var/log/Xorg.0.log", Time: Fri Jun  8 16:41:25 2012
> (==) Using config file: "/etc/X11/xorg.conf"
> The XKEYBOARD keymap compiler (xkbcomp) reports:
> > Warning:          Multiple symbols for level 1/group 1 on key <I5F>
> >                   Using XF86Sleep, ignoring XF86Standby
> > Warning:          Symbol map for key <I5F> redefined
> >                   Using last definition for conflicting fields
> Errors from xkbcomp are not fatal to the X server

That looks like :0.log.  What about :0-slave.log?

>> What does the user's certificate look like?  Does it point to an OCSP responder? 
> OCSP checking is not enabled. A local desktop user is logged in with a
> password, so no user certificate involved.

Does the user's certificate include the location of an OCSP responder?  Where is OCSP checking disabled?  In pam_pkcs11's configuration?

>>  Which pam_pkcs11 mappers are being used?  
> 
> # cat /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        [success=3 default=ignore] pam_succeed_if.so service notin
> login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> auth        [success=ok authinfo_unavail=2 ignore=2 default=die]
> pam_pkcs11.so
> auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
> auth        sufficient    pam_permit.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid >= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        required      pam_deny.so
> 
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_succeed_if.so uid < 500 quiet
> account     [default=bad success=ok auth_err=ignore user_unknown=ignore
> ignore=ignore] pam_krb5.so
> account     required      pam_permit.so
> 
> password    optional      pam_pkcs11.so
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    required      pam_deny.so
> 
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so

Mappers are configured in /etc/pam_pkcs11/pam_pkcs11.conf, but if we're past the authentication phase it's probably not related to that after all.

> Is login failing because the client
> > can't contact the KDC, or is there something else going on?
> 
> The user I'm trying to login is local user. When Kerberos auth is failing,
> shudn't it fall into local /etc/passwd based auth?

The pam_krb5 account function is noting that a Kerberos password check hadn't succeeded earlier.  You typically don't see the account stack being called unless the authentication stack succeeded, so something else in the authentication stack caused it to succeed.
Comment 5 Asha Akkiangady 2012-06-11 13:24:57 EDT
(In reply to comment #4)
> (In reply to comment #2)
> > (In reply to comment #1)
> > > Which debuginfo packages are installed?  Are they installed for all of
> > > firefox's dependencies as well?  
> > firefox-debuginfo-10.0.5-1.el5_8 and all its dependents are installed.
> 
> That's not always going to be the same thing, but I can see that thread 1 is
> waiting for a reply via the system message bus, either from the bus daemon
> itself or with NetworkManager.  Is NetworkManager running? 

NetworkManager is not running.

 If you let the
> process continue for about 30 seconds and then check the backtrace then, is
> it still waiting?

Waited for more than 30 seconds, FF process is still waiting:
# ps -aef | grep firefox
mytest    4894  4630  3 11:54 pts/2    00:00:09 /usr/bin/gdb --args /usr/lib64/firefox/firefox
mytest    4922  4894  0 11:54 pts/2    00:00:00 /usr/lib64/firefox/firefox -safemode
mytest    4925  4922  0 11:54 pts/2    00:00:00 [firefox] <defunct>


Attached the gdb output (FF_crash_30sec_wait.txt).

> 
> > > When you're not able to log in, what messages are being logged?  
> > /var/log/secure has this:
> > Jun  8 16:41:29 dhcp231-57 gdm[4361]: pam_pkcs11(gdm:auth): no suitable
> > token available
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: configured realm
> > 'EXAMPLE.COM'
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flags: forwardable
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no ignore_afs
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: user_check
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no krb4_convert
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: krb4_convert_524
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: krb4_use_as_req
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will try previously
> > set password first
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will ask for a
> > password if that fails
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: will let libkrb5 ask
> > questions
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no use_shmem
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no external
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: no
> > multiple_ccaches
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: validate
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: flag: warn
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: ticket lifetime: 1920
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: renewable lifetime: 0
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: banner: Kerberos 5
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: ccache dir: /tmp
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: keytab:
> > FILE:/etc/krb5.keytab
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: user 'mytest' was not
> > authenticated by pam_krb5, returning "User not known to the underlying
> > authentication module"
> > Jun  8 16:41:39 dhcp231-57 gdm[4361]: pam_krb5[4361]: pam_acct_mgmt
> > returning 10 (User not known to the underlying authentication module)
> 
> That pam_krb5's "account" function is being called suggests that the "auth"
> stack succeeded, and wherever things are getting derailed, it's happening
> after these messages are logged.  Is there any mention of the session being
> opened?  If it's just hanging there, what's gdm (or an authentication
> subprocess) doing at the time?
Nothing other than the above messages in the /var/log/secure. 

/var/log/messages has these messages:
Jun 11 12:32:05 dhcp231-57 dbus: nss_ldap: failed to bind to LDAP server ldap://aakkiang-csvm1.idm.lab.bos.redhat.com/: Can't contact LDAP server
Jun 11 12:32:05 dhcp231-57 dbus: nss_ldap: reconnecting to LDAP server (sleeping 16 seconds)...

> 
> > > Is gdm logging anything relevant in its logs under /var/gdm?  
> > /var/log/gdm shows these messages:
> > 
> > (==) Log file: "/var/log/Xorg.0.log", Time: Fri Jun  8 16:41:25 2012
> > (==) Using config file: "/etc/X11/xorg.conf"
> > The XKEYBOARD keymap compiler (xkbcomp) reports:
> > > Warning:          Multiple symbols for level 1/group 1 on key <I5F>
> > >                   Using XF86Sleep, ignoring XF86Standby
> > > Warning:          Symbol map for key <I5F> redefined
> > >                   Using last definition for conflicting fields
> > Errors from xkbcomp are not fatal to the X server
> 
> That looks like :0.log.  What about :0-slave.log?

Yes, it is :0.log, there is no /var/log/gdm/0-slave.log file, is there a configuration param to turn on logging into this file?

> 
> >> What does the user's certificate look like?  Does it point to an OCSP responder? 
> > OCSP checking is not enabled. A local desktop user is logged in with a
> > password, so no user certificate involved.
> 
> Does the user's certificate include the location of an OCSP responder? 
> Where is OCSP checking disabled?  In pam_pkcs11's configuration?

OCSP checking disabled in pam_pkcs11 configuration.

> 
> >>  Which pam_pkcs11 mappers are being used?  
> > 
> > # cat /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > auth        required      pam_env.so
> > auth        [success=3 default=ignore] pam_succeed_if.so service notin
> > login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
> > auth        [success=ok authinfo_unavail=2 ignore=2 default=die]
> > pam_pkcs11.so
> > auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
> > auth        sufficient    pam_permit.so
> > auth        sufficient    pam_unix.so nullok try_first_pass
> > auth        requisite     pam_succeed_if.so uid >= 500 quiet
> > auth        sufficient    pam_krb5.so use_first_pass
> > auth        required      pam_deny.so
> > 
> > account     required      pam_unix.so broken_shadow
> > account     sufficient    pam_succeed_if.so uid < 500 quiet
> > account     [default=bad success=ok auth_err=ignore user_unknown=ignore
> > ignore=ignore] pam_krb5.so
> > account     required      pam_permit.so
> > 
> > password    optional      pam_pkcs11.so
> > password    requisite     pam_cracklib.so try_first_pass retry=3
> > password    sufficient    pam_unix.so md5 shadow nullok try_first_pass
> > use_authtok
> > password    sufficient    pam_krb5.so use_authtok
> > password    required      pam_deny.so
> > 
> > session     optional      pam_keyinit.so revoke
> > session     required      pam_limits.so
> > session     optional      pam_mkhomedir.so
> > session     [success=1 default=ignore] pam_succeed_if.so service in crond
> > quiet use_uid
> > session     required      pam_unix.so
> > session     optional      pam_krb5.so
> 
> Mappers are configured in /etc/pam_pkcs11/pam_pkcs11.conf, but if we're past
> the authentication phase it's probably not related to that after all.

# cat /etc/pam_pkcs11/pam_pkcs11.conf 
#
# Configuration file for pam_pkcs11 module
#
# Version 0.4
# Author: Juan Antonio Martinez <jonsito@teleline.es>
#
pam_pkcs11  {
	# Allow empty passwords
	nullok = true;

	# Enable debugging support.
	debug = false;

	# If the smart card is inserted, only use it
	card_only = true;

	# Turn on OCSP checking of the certificates
	enable_ocsp = false;

	# Do not prompt the user for the passwords but take them from the
	# PAM_ items instead.
	use_first_pass = false;

	# Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
	# is unset.
	try_first_pass = false;

	# Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
	# previously set (intended for stacking password modules only).
	use_authtok = false;

	# Filename of the PKCS #11 module. The default value is "default"
	use_pkcs11_module = coolkey;

	screen_savers = "gnome-screensaver", xscreensaver, kscreensaver;

	pkcs11_module coolkey {
		module = libcoolkeypk11.so;
		description = "Cool Key";
		# Slot-number to use. One for the first, two for the second and so
		# on. The default value is zero which means to use the first slot
		# with an available token.
		slot_num = 0;

		# Path to the directory where the CA certificates are stored. The
		# directory must contain an openssl hash-link to each certificate.
		# The default value is /etc/pam_pkcs11/cacerts.
		ca_dir = "/etc/pam_pkcs11/cacerts";
		nss_dir = /etc/pki/nssdb;

		# Path to the directory where the CRLs are stored. The directory
		# must contain an openssl hash-link to each CRL. The default value
		# is /etc/pam_pkcs11/crls.
		crl_dir = "/etc/pam_pkcs11/crls";

		# Sets the CRL verification policy. None performs no verification
		# at all, online downloads the CRL form the location given by the
		# CRL distribution point extension of the certificate and offline
		# uses the locally stored CRLs. Auto is a combination of online and
		# offline; it first tries to download the CRL from a possibly
		# given CRL distribution point and if this fails, uses the local
		# CRLs. The default setting is none.
		# crl_policy={none, online, offline, auto}
		crl_policy = none;

	}

	pkcs11_module opensc {
		module = "opensc-pkcs11.so";
		description = "OpenSC PKCS#11 module";
		# Slot-number to use. One for the first, two for the second and so
		# on. The default value is zero which means to use the first slot
		# with an available token.
		slot_num = 0;

		# Path to the directory where the CA certificates are stored. The
		# directory must contain an openssl hash-link to each certificate.
		# The default value is /etc/pam_pkcs11/cacerts.
		ca_dir = "/etc/pam_pkcs11/cacerts";

		# Path to the directory where the CRLs are stored. The directory
		# must contain an openssl hash-link to each CRL. The default value
		# is /etc/pam_pkcs11/crls.
		crl_dir = "/etc/pam_pkcs11/crls";

		# Sets the CRL verification policy. None performs no verification
		# at all, online downloads the CRL form the location given by the
		# CRL distribution point extension of the certificate and offline
		# uses the locally stored CRLs. Auto is a combination of online and
		# offline; it first tries to download the CRL from a possibly
		# given CRL distribution point and if this fails, uses the local
		# CRLs. The default setting is none.
		# crl_policy={none, online, offline, auto}
		crl_policy = none;

	}

	# Default pkcs11 module
	pkcs11_module default {
		module = "/usr/$LIB/pam_pkcs11/pkcs11_module.so";
		description = "Default pkcs#11 module";
		slot_num = 0;
		ca_dir = "/etc/pam_pkcs11/cacerts";
		crl_dir = "/etc/pam_pkcs11/crls";
		crl_policy = none;
	}

	# Which mappers ( Cert to login ) to use?
	# you can use several mappers:
	#
	# subject - Cert Subject to login file based mapper
	# pwent   - CN to getpwent() login or gecos fields mapper
	# ldap    - LDAP mapper
	# opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
	# openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
	# mail    - Compare email fields from certificate
	# ms      - Use Microsoft Universal Principal Name extension
	# krb     - Compare againts Kerberos Principal Name
	# cn      - Compare Common Name (CN)
	# uid     - Compare Unique Identifier
	# digest  - Certificate digest to login (mapfile based) mapper
	# generic - User defined certificate contents mapped
	# null    - blind access/deny mapper
	#
	# You can select a comma-separated mapper list.
	# If used null mapper should be the last in the list :-)
	# Also you should select at least one mapper, otherwise
	# certificate will not match :-)
	use_mappers = cn, uid, pwent, null;

	# When no absolute path or module info is provided, use this
	# value as module search path
	# TODO:
	# This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
	mapper_search_path = "/usr/$LIB/pam_pkcs11";

	# 
	# Generic certificate contents mapper
	mapper generic {
		debug = true;
		module = "/usr/$LIB/pam_pkcs11/generic_mapper.so";
		# ignore letter case on match/compare
		ignorecase = false;
		# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
		cert_item = cn;
		# Define mapfile if needed, else select "none"
		mapfile = "file:///etc/pam_pkcs11/generic_mapping";
		# Decide if use getpwent() to map login
		use_getpwent = false;
	}

	# Certificate Subject to login based mapper
	# provided file stores one or more "Subject -> login" lines
	mapper subject {
		debug = false;
		# module = /usr/$LIB/pam_pkcs11/subject_mapper.so;
		module = internal;
		ignorecase = false;
		mapfile = "file:///etc/pam_pkcs11/subject_mapping";
	}

	# Search public keys from $HOME/.ssh/authorized_keys to match users
	mapper openssh {
		debug = false;
		module = "/usr/$LIB/pam_pkcs11/openssh_mapper.so";
	}

	# Search certificates from $HOME/.eid/authorized_certificates to match users
	mapper opensc {
		debug = false;
		module = "/usr/$LIB/pam_pkcs11/opensc_mapper.so";
	}

	# Certificate Common Name ( CN ) to getpwent() mapper
	mapper pwent {
		debug = false;
		ignorecase = false;
		module = internal;
		# module = /usr/$LIB/pam_pkcs11/pwent_mapper.so;
	}

	# Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
	mapper null {
		debug = false;
		# module = /usr/$LIB/pam_pkcs11/null_mapper.so;
		module = internal;
		# select behavior: always match, or always fail
		default_match = false;
		# on match, select returned user
		default_user = nobody;
	}

	# Directory ( ldap style ) mapper
	mapper ldap {
		debug = false;
		module = "/usr/$LIB/pam_pkcs11/ldap_mapper.so";
		# where base directory resides
		basedir = "/etc/pam_pkcs11/mapdir";
		# hostname of ldap server
		ldaphost = localhost;
		# Port on ldap server to connect
		ldapport = 389;
		# Scope of search: 0 = x, 1 = y, 2 = z
		scope = 2;
		# DN to bind with. Must have read-access for user entries under "base"
		binddn = "cn=pam,o=example,c=com";
		# Password for above DN
		passwd = test;
		# Searchbase for user entries
		base = "ou=People,o=example,c=com";
		# Attribute of user entry which contains the certificate
		attribute = userCertificate;
		# Searchfilter for user entry. Must only let pass user entry for the login user.
		filter = "(&(objectClass=posixAccount)(uid=%s))";
	}

	# Assume common name (CN) to be the login
	mapper cn {
		debug = false;
		module = internal;
		# module = /usr/$LIB/pam_pkcs11/cn_mapper.so;
		ignorecase = true;
		mapfile = "file:///etc/pam_pkcs11/cn_map";
	}

	# mail -  Compare email field from certificate
	mapper mail {
		debug = false;
		module = internal;
		# module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
		# Declare mapfile or
		# leave empty "" or "none" to use no map 
		mapfile = "file:///etc/pam_pkcs11/mail_mapping";
		# Some certs store email in uppercase. take care on this
		ignorecase = true;
		# Also check that host matches mx domain
		# when using mapfile this feature is ignored
		ignoredomain = false;
	}

	# ms - Use Microsoft Universal Principal Name extension
	# UPN is in format login@ADS_Domain. No map is needed, just
	# check domain name.
	mapper ms {
		debug = false;
		module = internal;
		# module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
		ignorecase = false;
		ignoredomain = false;
		domain = domain.com;
	}

	# krb  - Compare againts Kerberos Principal Name
	mapper krb {
		debug = false;
		module = internal;
		# module = /usr/$LIB/pam_pkcs11/krb_mapper.so;
		ignorecase = false;
		mapfile = none;
	}

	# uid  - Maps Subject Unique Identifier field (if exist) to login
	mapper uid {
		debug = false;
		module = internal;
		# module = /usr/$LIB/pam_pkcs11/uid_mapper.so;
		ignorecase = false;
		mapfile = none;
	}

	# digest - elaborate certificate digest and map it into a file
	mapper digest {
		debug = false;
		module = internal;
		# module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
		# algorithm used to evaluate certificate digest
		# Select one of:
		# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
		algorithm = sha1;
		mapfile = "file:///etc/pam_pkcs11/digest_mapping";
		# mapfile = "none";
	}

}

> 
> > Is login failing because the client
> > > can't contact the KDC, or is there something else going on?
> > 
> > The user I'm trying to login is local user. When Kerberos auth is failing,
> > shudn't it fall into local /etc/passwd based auth?
> 
> The pam_krb5 account function is noting that a Kerberos password check
> hadn't succeeded earlier.  You typically don't see the account stack being
> called unless the authentication stack succeeded, so something else in the
> authentication stack caused it to succeed.
Comment 6 Asha Akkiangady 2012-06-11 13:26:24 EDT
Created attachment 590988 [details]
Firefox debugger output after 30 seconds wait when network service is stopped.
Comment 7 RHEL Product and Program Management 2012-06-21 12:07:32 EDT
This request was evaluated by Red Hat Product Management for inclusion
in a Red Hat Enterprise Linux release.  Product Management has
requested further review of this request by Red Hat Engineering, for
potential inclusion in a Red Hat Enterprise Linux release for currently
deployed products.  This request is not yet committed for inclusion in
a release.
Comment 8 Nalin Dahyabhai 2012-06-21 15:31:05 EDT
30 seconds later, firefox is still waiting on a pending call to the message bus daemon, which in turn is logging to syslog messages that indicate that it's trying to talk to the directory server.
Comment 9 Nalin Dahyabhai 2012-07-02 11:57:46 EDT
Outside of suggesting that you tweak timeouts and related parameters in the client configuration, I don't think we're going to see any changes to the package to address the problem of nss_ldap being dependent on being able to connect to a working directory server.  Inclined to won't-fix.
Comment 10 Nalin Dahyabhai 2012-07-02 13:50:05 EDT
Per offline conversation with reporter, dropping the won't-fix axe.
Comment 11 Roshni 2014-05-15 10:37:50 EDT
*** Bug 1096983 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.