Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 79853 - updated pam_krb5 does not allow logins on console.
Summary: updated pam_krb5 does not allow logins on console.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam_krb5
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-12-17 16:07 UTC by Stephen John Smoogen
Modified: 2007-11-30 22:06 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-02-24 19:07:39 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Stephen John Smoogen 2002-12-17 16:07:03 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (compatible; Mozilla 4.79; X11; U; Linux i686; en-US;
rv:0.9.9) Gecko/20020513

Description of problem:
After applying all updates to a 7.3 and 8.0 machine we are not able to log into
the virtual consoles other than X. All logins except root are compared against
kerberos database using onetime keys from a cryptocard. Neither these nor root
accounts seem to be able to login.

After much head banging on my part, a co-worker made some changes to
/etc/pam.d/system-auth and logins were allowed again. The line seems to be the
following:

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_krb5.so

changing this to "required" allowed non-root accounts to log in, but not the
root account. Making the final change to "sufficient" allowed for all accounts
to log in via console.

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. update machine to latest RPMS
2. run authconfig
3. watch people not login
    

Additional info:

While we have a workaround, we are not sure it is the best thing since it is
breaking the 'way things were setup by Red Hat tools'.

Comment 1 Stephen John Smoogen 2003-02-14 06:28:20 UTC
While I know no one seems to be reading these bug reports :)... I figured out
what the problem is:

authconfig puts in a line for /etc/pam.d/system-auth that does not seem to work
in our Kerberos environment.

account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_krb5.so
 
This central part is causing our root logins to fail and our current fix is to
install a patched version that doesnt have this line in it.

Comment 2 Nalin Dahyabhai 2004-02-20 23:38:58 UTC
Hmm. Setting the module to "sufficient" has the same effect as
removing the check completely (because a "required" module has already
succeeded at that point, libpam will ignore the failure code returned
by pam_krb5 if it is marked "sufficient").

Do your users have principals in Kerberos?  What error messages are
you getting from pam_krb5 when login fails?


Note You need to log in before you can comment on or make changes to this bug.