Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 144762 - Pam with Kerberos or LDAP refuses off-net local login
Summary: Pam with Kerberos or LDAP refuses off-net local login
Status: CLOSED DUPLICATE of bug 109359
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Jay Turner
Depends On:
TreeView+ depends on / blocked
Reported: 2005-01-11 12:37 UTC by Thomas Sippel - Dau
Modified: 2015-01-08 00:09 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2005-01-12 08:24:34 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Thomas Sippel - Dau 2005-01-11 12:37:25 UTC
Description of problem: 
Pam with Kerberos or LDAP refuses off-net local login 
When using kerberos or ldap authenticated logins the pam 
library treats a failure to connect to the kerberos or ldap 
server as a failure to authenticate. 
It appears that the pam library reads the config file 
(/etc/pam.d/system-auth), and attempts to contact all  
the servers that might have useful information. 
If it fails to contact the kerberos or ldap servers, 
it treats this as a failure to authenticate. Thus when  
the system-auth says: 
   auth sufficient pam_unix 
   auth sufficient pam_krb5 
   auth sufficient pam_ldap 
then a user with a local username and password (in  
/etc/passwd and /etc/shadow) can not log in iff the machine 
is off the net. In particular it is impossible to log in  
as root, such as to change the configuration. 
The problem arises particularly with corporate laptops  
where all people in the organisation should be able to log 
when it is on site, but only a few users when off the net. 
Version-Release number of selected component (if applicable): 
Redhat Enterprise Workstation was tested with several pam 
versions in updates 1-4, also a problem in 4WS (beta,2) 
How reproducible: 
Steps to Reproduce: 
1. Configure machine to use kerberos or ldap login 
2. disconnect network cable 
3. try to log in 
Actual results: 
Login is refused (actually before collecting password 
when usinf XDM login) 
Expected results: 
Machine should treat failure to contact kerberos or ldap  
server as a soft error and remove the particular method  
from the authentication stack, but still allow local logins 
if it can verify the password. 
Additional info: 
SuSE Linux uses a different network model, is stacks 
pam_unix2 to authenticate, which in turn uses  
/etc/nsswitch.con to establish the server sequence. 
Thus they are not bitten by this particular bug.

Comment 1 Rudi Chiarito 2005-01-11 19:29:23 UTC
What you really want to use is pam_ccreds, which is already in FC3
and should ship by default with RHEL 4. Unfortunately, it's both
undocumented and not used by authconfig. I already filed two bug
reports for those issues, but I haven't seen any progress or
acknowledgements there.

Comment 2 Tomas Mraz 2005-01-12 08:22:17 UTC
The problem doesn't lie in the auth phase, it lies in the account phase.

Either use pam_ccreds or simply add 

account sufficient

after the account required .... line

This way the local users (users in the local passwd file) will be
authorized only by data in the local /etc/shadow and the remote
services won't block their access.

*** This bug has been marked as a duplicate of 109359 ***

Note You need to log in before you can comment on or make changes to this bug.