Bug 999604 - failure in creation of credential cache for users whose principal does not belong to the default realm
Summary: failure in creation of credential cache for users whose principal does not be...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_krb5
Version: 19
Hardware: x86_64
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-21 17:03 UTC by Paolo Penzo
Modified: 2013-09-03 22:30 UTC (History)
1 user (show)

Fixed In Version: pam_krb5-2.4.6-1.fc19
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-09-03 22:30:28 UTC
Type: Bug


Attachments (Terms of Use)
system-auth-ac (1.21 KB, text/plain)
2013-08-21 17:03 UTC, Paolo Penzo
no flags Details
krb5.conf (790 bytes, text/plain)
2013-08-21 17:04 UTC, Paolo Penzo
no flags Details
/var/log/secure extract for a user in the default realm (10.81 KB, text/plain)
2013-08-21 17:05 UTC, Paolo Penzo
no flags Details
/var/log/secure extract for a user NOT in the default realm (10.51 KB, text/plain)
2013-08-21 17:06 UTC, Paolo Penzo
no flags Details

Description Paolo Penzo 2013-08-21 17:03:32 UTC
Created attachment 788934 [details]
system-auth-ac

Description of problem:
having kerberos V principals defined in more than one realm and using the mappings feature of pam_krb5 the users whose principal is not defined in the default realm does not get the credential cache available after login.

Version-Release number of selected component (if applicable):
pam_krb5 2.4.5-1.fc19.x86_64
krb5-libs 1.11.3-2.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
configure the user kerberos V principal into two separate realms and use the pam_krb5 mapping feature to redirect the password validation to the appropriate KDC.

Actual results:
the user whose principal is defined into the default realm gets the credential cache available whereas the user whose principal is defined into the other realm don't.

Expected results:
Both the users get their credential cache available after login

Additional info:
when the user is not defined in the default realm, in /var/log/secure the auth phase reports 
"failed to create ccache for '<USERNAME>'" 
and the session phase reports
"ccache is a directory named '/run/user/0/krb5cc'" (instead of /run/user/<USER_UID>/krb5cc)
"no credentials available to store in 'DIR:/run/user/0/krb5cc'"

Comment 1 Paolo Penzo 2013-08-21 17:04:39 UTC
Created attachment 788935 [details]
krb5.conf

Comment 2 Paolo Penzo 2013-08-21 17:05:40 UTC
Created attachment 788936 [details]
/var/log/secure extract for a user in the default realm

Comment 3 Paolo Penzo 2013-08-21 17:06:16 UTC
Created attachment 788937 [details]
/var/log/secure extract for a user NOT in the default realm

Comment 4 Nalin Dahyabhai 2013-08-21 22:44:28 UTC
Can you check if one of the builds at http://koji.fedoraproject.org/koji/taskinfo?taskID=5838705 corrects this?  Thanks!

Comment 5 Paolo Penzo 2013-08-22 08:08:22 UTC
It works!

Thanks!

Comment 6 Nalin Dahyabhai 2013-08-22 12:37:23 UTC
Great!  I'll file an update request shortly.

Comment 7 Fedora Update System 2013-08-22 12:39:21 UTC
pam_krb5-2.4.6-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/pam_krb5-2.4.6-1.fc19

Comment 8 Fedora Update System 2013-08-23 00:38:14 UTC
Package pam_krb5-2.4.6-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_krb5-2.4.6-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15174/pam_krb5-2.4.6-1.fc19
then log in and leave karma (feedback).

Comment 9 Fedora Update System 2013-09-03 22:30:28 UTC
pam_krb5-2.4.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.