Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 168880 - Authconfig creates a broken pam stack if using kerberos and the pam_krb5 package/module is missing.
Summary: Authconfig creates a broken pam stack if using kerberos and the pam_krb5 pack...
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: authconfig
Version: rawhide
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: FC5Target 168877
TreeView+ depends on / blocked
 
Reported: 2005-09-20 21:36 UTC by Tomas Mraz
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version: authconfig-5.1.2-1
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-01-23 15:38:04 UTC


Attachments (Terms of Use)

Description Tomas Mraz 2005-09-20 21:36:13 UTC
+++ This bug was initially created as a clone of Bug #168877 +++

Description of problem:
I was updating the authconfig servers we are using on several systems with the
same command and didn't notice that one of the systems was missing the pam_krb5
package.  authconfig still went ahead and created the pam system-auth file with
the following line in it:

auth        sufficient    /lib/security/$ISA/pam_krb5afs.so use_first_pass tokens

This completely broke the pam stack because this module did not exist and
therefore even prevented root login from the console so it could not easily be
fixed.  System logs would contain errors like this for console login:

Sep 20 14:29:03 services01 login: PAM unable to
dlopen(/lib/security/$ISA/pam_krb5afs.so)
Sep 20 14:29:03 services01 login: PAM [dlerror:
/lib/security/../../lib/security/pam_krb5afs.so: cannot open shared object file:
No such file or directory]
Sep 20 14:29:03 services01 login: PAM adding faulty module:
/lib/security/$ISA/pam_krb5afs.so
Sep 20 14:29:07 services01 login: Module is unknown


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install a system without the pam_krb5 package.
2. After the install, rerun the authconfig command with options to enable krb5.
3. Try to log into the system.


Actual Results:  Login failed (even root from the console).

Expected Results:  authconfig should probably not be adding modules to the pam
config which are not installed on the system because it results in a broken pam
stack.

Additional info:

Comment 1 Tomas Mraz 2006-01-23 15:38:04 UTC
Authconfig will now print warning in such case.



Note You need to log in before you can comment on or make changes to this bug.