[Bug 1852997] [NEW] /etc/krb5.conf options seem to be ignored by pam_krb5.so
Russ Allbery
rra at debian.org
Mon Nov 18 16:26:16 UTC 2019
Thomas Schweikle <1852997 at bugs.launchpad.net> writes:
> Looks like set [appdefaults] for pam are ignored by pam_krb5.so:
> [appdefaults]
> forwardable = true
> noaddresses = true
> proxiable = true
> pam = {
> minimum_uid = 1000
> alt_auth_map=root/%s
> ccache_dir = /tmp/krb5cc
> ccache = DIR:/tmp/krb5cc/%u_XXXXXX
> }
> I'd expect this to create
> /tmp/krb5cc/1000_NvfDse
> but:
> /tmp/krb5cc_<uid> is used.
> Same if I add these options to
> -rw-r--r-- 1 root root 1360 Nov 18 12:25 /etc/pam.d/common-account
> -rw-r--r-- 1 root root 1383 Nov 18 12:24 /etc/pam.d/common-auth
> -rw-r--r-- 1 root root 1690 Nov 18 12:25 /etc/pam.d/common-password
> -rw-r--r-- 1 root root 1675 Nov 18 12:25 /etc/pam.d/common-session
> -rw-r--r-- 1 root root 1483 Nov 18 12:26 /etc/pam.d/common-session-noninteractive
I'm pretty sure this means that either pam_krb5 is not running or is using
some other configuration. It seems unlikely that it's just ignoring
option settings.
Are you running some other Kerberos-aware PAM module (such as sssd) that
might be setting up the ticket cache instead?
Adding debug to the end of the pam_krb5.so options will produce more
verbose logging. If you don't see any additional logging at DEBUG level
in syslog, that means that the module isn't running at all.
--
Russ Allbery (rra at debian.org) <https://www.eyrie.org/~eagle/>
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to libpam-krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1852997
Title:
/etc/krb5.conf options seem to be ignored by pam_krb5.so
Status in libpam-krb5 package in Ubuntu:
New
Bug description:
Looks like set [appdefaults] for pam are ignored by pam_krb5.so:
[appdefaults]
forwardable = true
noaddresses = true
proxiable = true
pam = {
minimum_uid = 1000
alt_auth_map=root/%s
ccache_dir = /tmp/krb5cc
ccache = DIR:/tmp/krb5cc/%u_XXXXXX
}
I'd expect this to create
/tmp/krb5cc/1000_NvfDse
but:
/tmp/krb5cc_<uid> is used.
Same if I add these options to
-rw-r--r-- 1 root root 1360 Nov 18 12:25 /etc/pam.d/common-account
-rw-r--r-- 1 root root 1383 Nov 18 12:24 /etc/pam.d/common-auth
-rw-r--r-- 1 root root 1690 Nov 18 12:25 /etc/pam.d/common-password
-rw-r--r-- 1 root root 1675 Nov 18 12:25 /etc/pam.d/common-session
-rw-r--r-- 1 root root 1483 Nov 18 12:26 /etc/pam.d/common-session-noninteractive
"man pam_krb5" states:
[appdefaults]
forwardable = true
pam = {
minimum_uid = 1000
EXAMPLE.COM = {
ignore_k5login = true
}
}
It should work. But does not. It just does not make any difference if
[appdefaults] is there or not.
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: libpam-krb5:amd64 4.8-2
ProcVersionSignature: Ubuntu 5.3.0-23.25-generic 5.3.7
Uname: Linux 5.3.0-23-generic x86_64
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
Date: Mon Nov 18 13:24:53 2019
InstallationDate: Installed on 2019-09-09 (69 days ago)
InstallationMedia: Xubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
ProcEnviron:
LANGUAGE=de_DE
TERM=screen
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: libpam-krb5
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libpam-krb5/+bug/1852997/+subscriptions
More information about the foundations-bugs
mailing list