Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 177681 - pam_krb5.so does not save credentials
Summary: pam_krb5.so does not save credentials
Status: RESOLVED DUPLICATE of bug 146449
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Unspecified (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Linux bug wranglers
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2007-05-08 17:56 UTC by Arno Hahma
Modified: 2007-05-08 17:58 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arno Hahma 2007-05-08 17:56:26 UTC 
pam_krb5.so does not save KRB5 -credentials. When one logs on with a kerberos -password, klist should list the credentials, but instead, it finds nothing. If I do "kinit" and then klist, everything is ok, so kerberos setup is correct.

Reproducible: Always

Steps to Reproduce:
1. install pam_krb5.so
2. configure sshd to use pam_krb5.so in the auth stack
3. log on to the system and type "klist" and see, no credentials

Actual Results:  
See additional info.

Expected Results:  
See additional info.

pam -configs:

sshd:

#%PAM-1.0

auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
#password   sufficient  pam_smbpass.so nodelay smbconf=/etc/samba/smb.conf
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
#session    required      /lib/security/pam_mkhomedir.so skel=/etc/skel/ umask=0
027

system-auth:

#%PAM-1.0

auth       required     /lib/security/pam_env.so
#auth       sufficient  /lib/security/pam_winbind.so
auth       sufficient   /lib/security/pam_unix.so likeauth nullok audit try_first_pass
auth       sufficient   /lib/security/pam_krb5.so ccache=/tmp/krb5cc_%u use_first_pass debug
auth       required     /lib/security/pam_deny.so

account    sufficient   /lib/security/pam_unix.so try_first_pass broken_shadow
account    [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore ] /lib/security/pam_krb5.so debug
account    required     /lib/security/pam_access.so

password   required     /lib/security/pam_cracklib.so retry=3 try_first_pass
password   sufficient   /lib/security/pam_unix.so nullok try_first_pass md5 shadow use_authtok
password   sufficient   /lib/security/pam_krb5.so use_authtok try_first_pass
password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so
session    required     /lib/security/pam_unix.so
session    optional     /lib/security/pam_krb5.so

Login process:

as75|20:22|1|>ssh shetach.chem.jyu.fi
Password: 
Last login: Tue May  8 23:17:58 2007 from as75.adsl.tnnet.fi
Executing: /home/nano-supercomputer/arno/OpenFOAM/OpenFOAM-1.3/.bashrc
Executing: /home/nano-supercomputer/arno/OpenFOAM/OpenFOAM-1.3/.OpenFOAM-1.3/apps/ensightFoam/bashrc
Executing: /home/nano-supercomputer/arno/OpenFOAM/OpenFOAM-1.3/.OpenFOAM-1.3/apps/paraview/bashrc
arno@shetach ~ $ 
arno@shetach ~ $ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_45132)
arno@shetach ~ $ 

This is wrong!!! It should work automatically like this:

arno@shetach ~ $ kinit
Password for arno@CC.JYU.FI: 
arno@shetach ~ $ klist
Ticket cache: FILE:/tmp/krb5cc_45132
Default principal: arno@CC.JYU.FI

Valid starting     Expires            Service principal
05/08/07 20:54:24  05/09/07 06:54:24  krbtgt/CC.JYU.FI@CC.JYU.FI
        renew until 05/08/07 20:54:24
arno@shetach ~ $ 


Finally, emerge --info:

shetach pam.d # emerge --info
Portage 2.1.2.2 (default-linux/x86/no-nptl, gcc-4.1.1, glibc-2.5-r0, 2.6.20-gentoo-r7 i686)
=================================================================
System uname: 2.6.20-gentoo-r7 i686 AMD Athlon(TM) XP1700+
Gentoo Base System release 1.12.9
Timestamp of tree: Wed, 02 May 2007 07:30:07 +0000
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.15-r1
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-xp -pipe -mfpmath=sse"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=athlon-xp -pipe -mfpmath=sse"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.public.fix.fi/gentoo http://ftp.public.fix.fi/gentoo/ http://ftp.linux.ee/pub/gentoo/distfiles/ ftp://ftp.belnet.be/mirror/rsync.gentoo.org/gentoo/ ftp://ftp.linux.ee/pub/gentoo/distfiles/"
LINGUAS="fi se en he de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X aac acl alsa apache2 apm arts audiofile automount bash-completion berkdb bitmap-fonts blas bonobo bzip2 cddb cdparanoia cdr cli cracklib crypt ctype cups curl dbm dri dv dvb dvd dvdr dvdread eds emboss encode exif expat ffmpeg fftw foomaticdb fortran gcj gd gdbm gif glut gmp gnome gnutls gphoto2 gpm gstreamer gtk gtk2 guile hal iconv ieee1394 imagemagick imap imlib ipv6 isdnlog jbig jikes jpeg jpeg2k kde kerberos ldap lesstif libg++ libwww mad maildir matroska midi mikmod mime mmap mmx mng motif mozilla mp3 mpeg mpi mplayer mysql ncurses net-fs/samba nls ogg opengl oss pam pcre pdf perl php png povray pppd python qt3 qt4 quicktime quotas rdesktop readline reflection samba sdl session spell spl sse sse2 ssl tcl tcpd tetex theora threads tiff tk truetype truetype-fonts type1-fonts unicode vorbis winbind wmf x264 x86 xine xml xorg xpm xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="fi se en he de" USERLAND="GNU" VIDEO_CARDS="apm ark ati chips cirrus cyrix dummy fbdev glint i128 i740 i810 imstt mga neomagic nsc nv rendition s3 s3virge savage siliconmotion sis sisusb tdfx tga trident tseng v4l vesa vga via vmware voodoo"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 1 Jakub Moc (RETIRED) gentoo-dev 2007-05-08 17:58:47 UTC 

*** This bug has been marked as a duplicate of bug 146449 ***