Bug 90060 - authconfig produces incorrect system-auth file for krb5 + LDAP
authconfig produces incorrect system-auth file for krb5 + LDAP
Status: CLOSED NOTABUG
Product: Red Hat Linux
Classification: Retired
Component: authconfig (Show other bugs)
9
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-05-01 16:22 EDT by Ian Macdonald
Modified: 2007-04-18 12:53 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-08 13:03:59 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ian Macdonald 2003-05-01 16:22:33 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3) Gecko/20030322

Description of problem:
Using authconfig to configure authentication using LDAP and Kerberos V results
in an /etc/pam.d/system-auth that does not work. This produces the following file:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_krb5.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
session     optional      /lib/security/$ISA/pam_ldap.so

The following hand-made file, while maybe not ideal, works:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_krb5.so debug forwardable
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so ldap
#account     sufficient /lib/security/$ISA/pam_krb5.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok forwardable
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow ldap
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. run authconfig
2. choose Kerberos V and LDAP authentication
3. try to use a PAMified tool to authenticate
    

Actual Results:  Failed authentication.

Expected Results:  Successful authentication.

Additional info:
Comment 1 Ian Macdonald 2003-05-01 18:31:56 EDT
After some experimentation, the following configuration is much more faithful to
the one generated by authconfig (i.e. it still uses pam_ldap as opposed to going
through pam_unix), but actually works:

#%PAM-1.0
 # This file is auto-generated.
 # User changes will be destroyed the next time authconfig is run.
 auth        required      /lib/security/$ISA/pam_env.so
 auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
 auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass forwardable
 #auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
 auth        required      /lib/security/$ISA/pam_deny.so
 
 account     required      /lib/security/$ISA/pam_unix.so
 account     required      /lib/security/$ISA/pam_ldap.so default=bad success=ok
user_unknown=ignore service_err=ignore system_err=ignore
 account     required      /lib/security/$ISA/pam_krb5.so default=bad success=ok
user_unknown=ignore service_err=ignore system_err=ignore
 
 password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
 password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
 password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok forwardable
 password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
 password    required      /lib/security/$ISA/pam_deny.so
 
 session     required      /lib/security/$ISA/pam_limits.so
 session     required      /lib/security/$ISA/pam_unix.so
 session     optional      /lib/security/$ISA/pam_krb5.so
 session     optional      /lib/security/$ISA/pam_ldap.so
Comment 2 Tomas Mraz 2004-12-07 12:27:02 EST
The question is what are you trying to achieve. Do you have user
information in LDAP and want to authenticate against Kerberos server?
Or do you have even the authentication information in LDAP?
Comment 3 Ian Macdonald 2004-12-07 18:25:07 EST
The former is the case: we have user information in LDAP and are
authenticating against a Kerberos server.
Comment 4 Tomas Mraz 2004-12-08 05:15:36 EST
So you should enable LDAP on the user info checkboxes and KRB5 on the
authentication checkboxes. This should work fine. The pam_ldap
shouldn't be in the system-auth file at all.
Comment 5 Ian Macdonald 2004-12-08 12:52:33 EST
You'll have to forgive me for not remembering the details. It has
taken Red Hat more than 18 months to respond to this bug.

If you look at the additional comment I posted on 2003-05-01, you'll
see that we were using a system-auth without pam_ldap. The point of
the bug was, I think, that the file generated by authconfig would not
work for any purpose.

Since I can no longer remember the details and have long since fixed
our problem by hand, I suggest you close the bug.
Comment 6 Tomas Mraz 2004-12-08 13:03:59 EST
OK, closing.

Note You need to log in before you can comment on or make changes to this bug.