Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163886 - Can't log in as root on console when krb5 is enabled
Summary: Can't log in as root on console when krb5 is enabled
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5
Version: 3.0
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact: Brian Brock
URL: none
Depends On: 140325
TreeView+ depends on / blocked
Reported: 2005-07-21 19:35 UTC by Geoff Silver
Modified: 2007-11-30 22:07 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-10-19 18:57:44 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Geoff Silver 2005-07-21 19:35:46 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1

Description of problem:
When krb5 support is enabled via authconfig, it adds the following line to /etc/pam.d/system-auth:

account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/

That line causes multiple problems.  Specific examples include the inability of root to log into the console, and the inability to run 'su - user', even as root. 'su - user' produces the following error:

su: incorrect password

When that line is disabled, root console logins and su work as expected.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure your system to support kerberos authentication (authconfig --enablekrb5).  Be sure you have a valid /etc/krb5.conf and /etc/krb5.keytab and are talking to a valid KDC.
2. As root, 'su - user' - any user.  Additionally, try to log into the system via the console.
3. Edit /etc/pam.d/system-auth and remove the line 'account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/'.  Repeat step 2.

Actual Results:  In step 2, I get 'su: incorrect password', even though I am root and should be able to 'su' to any local account.  Additionally, I cannot log into the console as root (likely because "root@DOMAIN.COM" does not exist in the KDC as an account).  In step 3, 'su' works, as does local console login.

Expected Results:  'su' should have worked.

Additional info:

Comment 1 Geoff Silver 2005-07-21 19:39:07 UTC
I went back and tried to add a root@DOMAIN.COM principal to the KDC, and the
above still fails, so I don't believe that is actually the underlying reason.

Comment 2 Tomas Mraz 2005-07-22 07:03:57 UTC
You have actually 2 different problems:

1. not able to login as root on console - this can be resolved by using
authconfig and enabling option "Local authorization is sufficient".

2. not able to su from root to arbitrary user - this can be workarounded through
account    sufficient uid=0 use_uid
as the first account line into /etc/pam.d/su file.

Other possibility to fix these bugs are through changes to pam_krb5 code -

Comment 3 RHEL Product and Program Management 2007-10-19 18:57:44 UTC
This bug is filed against RHEL 3, which is in maintenance phase.
During the maintenance phase, only security errata and select mission
critical bug fixes will be released for enterprise products. Since
this bug does not meet that criteria, it is now being closed.
For more information of the RHEL errata support policy, please visit:
If you feel this bug is indeed mission critical, please contact your
support representative. You may be asked to provide detailed
information on how this bug is affecting you.

Note You need to log in before you can comment on or make changes to this bug.