Bug 999604 - failure in creation of credential cache for users whose principal does not belong to the default realm
failure in creation of credential cache for users whose principal does not be...
Status: CLOSED ERRATA
Product: Fedora
Classification: Fedora
Component: pam_krb5 (Show other bugs)
19
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-21 13:03 EDT by Paolo Penzo
Modified: 2013-09-03 18:30 EDT (History)
1 user (show)

See Also:
Fixed In Version: pam_krb5-2.4.6-1.fc19
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-09-03 18:30:28 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
system-auth-ac (1.21 KB, text/plain)
2013-08-21 13:03 EDT, Paolo Penzo
no flags Details
krb5.conf (790 bytes, text/plain)
2013-08-21 13:04 EDT, Paolo Penzo
no flags Details
/var/log/secure extract for a user in the default realm (10.81 KB, text/plain)
2013-08-21 13:05 EDT, Paolo Penzo
no flags Details
/var/log/secure extract for a user NOT in the default realm (10.51 KB, text/plain)
2013-08-21 13:06 EDT, Paolo Penzo
no flags Details

  None (edit)
Description Paolo Penzo 2013-08-21 13:03:32 EDT
Created attachment 788934 [details]
system-auth-ac

Description of problem:
having kerberos V principals defined in more than one realm and using the mappings feature of pam_krb5 the users whose principal is not defined in the default realm does not get the credential cache available after login.

Version-Release number of selected component (if applicable):
pam_krb5 2.4.5-1.fc19.x86_64
krb5-libs 1.11.3-2.fc19.x86_64

How reproducible:
always

Steps to Reproduce:
configure the user kerberos V principal into two separate realms and use the pam_krb5 mapping feature to redirect the password validation to the appropriate KDC.

Actual results:
the user whose principal is defined into the default realm gets the credential cache available whereas the user whose principal is defined into the other realm don't.

Expected results:
Both the users get their credential cache available after login

Additional info:
when the user is not defined in the default realm, in /var/log/secure the auth phase reports 
"failed to create ccache for '<USERNAME>'" 
and the session phase reports
"ccache is a directory named '/run/user/0/krb5cc'" (instead of /run/user/<USER_UID>/krb5cc)
"no credentials available to store in 'DIR:/run/user/0/krb5cc'"
Comment 1 Paolo Penzo 2013-08-21 13:04:39 EDT
Created attachment 788935 [details]
krb5.conf
Comment 2 Paolo Penzo 2013-08-21 13:05:40 EDT
Created attachment 788936 [details]
/var/log/secure extract for a user in the default realm
Comment 3 Paolo Penzo 2013-08-21 13:06:16 EDT
Created attachment 788937 [details]
/var/log/secure extract for a user NOT in the default realm
Comment 4 Nalin Dahyabhai 2013-08-21 18:44:28 EDT
Can you check if one of the builds at http://koji.fedoraproject.org/koji/taskinfo?taskID=5838705 corrects this?  Thanks!
Comment 5 Paolo Penzo 2013-08-22 04:08:22 EDT
It works!

Thanks!
Comment 6 Nalin Dahyabhai 2013-08-22 08:37:23 EDT
Great!  I'll file an update request shortly.
Comment 7 Fedora Update System 2013-08-22 08:39:21 EDT
pam_krb5-2.4.6-1.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/pam_krb5-2.4.6-1.fc19
Comment 8 Fedora Update System 2013-08-22 20:38:14 EDT
Package pam_krb5-2.4.6-1.fc19:
* should fix your issue,
* was pushed to the Fedora 19 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing pam_krb5-2.4.6-1.fc19'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-15174/pam_krb5-2.4.6-1.fc19
then log in and leave karma (feedback).
Comment 9 Fedora Update System 2013-09-03 18:30:28 EDT
pam_krb5-2.4.6-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.