[Bug 231262] New: Upon login, kerberos does not obtain ticket.
https://bugzilla.novell.com/show_bug.cgi?id=231262 Summary: Upon login, kerberos does not obtain ticket. Product: openSUSE 10.2 Version: Final Platform: x86-64 OS/Version: Linux Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: fischer@td.mw.tum.de QAContact: qa@suse.de I have an LDAP and kerberos server for user information, both services are activated on the workstation. In 10.1 (and possibly before) Yast prompted upon configuration of both services which service should be the principal authentication source, in this case kerberos, and adjusted PAM accordingly. In 10.2 this "feature" exists no longer, and pam appears to assume LDAP to be the principal authentication source, as upon login no ticket is obtained. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 chrubis@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- AssignedTo|bnc-team- |jsuchome@novell.com |screening@forge.provo.novell| |.com | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |fischer@td.mw.tum.de ------- Comment #1 from jsuchome@novell.com 2007-01-03 23:55 MST ------- Please attach the output of '/usr/sbin/pam-config -q --ldap' and 'pam-config -q --krb5' -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 fischer@td.mw.tum.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|fischer@td.mw.tum.de | ------- Comment #2 from fischer@td.mw.tum.de 2007-01-04 02:03 MST ------- fischer@galadriel:[/nfs/home/fischer]> pam-config -q --ldap account: auth: password: session: fischer@galadriel:[/nfs/home/fischer]> pam-config -q --krb5 account: debug auth: debug password: debug session: debug The debug flags are a leftover from my attempts on trying to fix my problem.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mc@novell.com Status|NEW |NEEDINFO Info Provider| |mc@novell.com ------- Comment #3 from jsuchome@novell.com 2007-01-04 02:08 MST ------- Michael, don't you know where could be the problem? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Info Provider|mc@novell.com |fischer@td.mw.tum.de ------- Comment #4 from mc@novell.com 2007-01-04 02:19 MST ------- Frank: please send /etc/pam.d/common-auth and /etc/pam.d/common-account . Additionaly please attach /var/log/messages . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #5 from jsuchome@novell.com 2007-01-09 02:30 MST ------- Anew news? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #6 from fischer@td.mw.tum.de 2007-01-10 08:04 MST ------- I'm still investigating as the problem is a bit diffuse meanwhile. What definately always works is a login to the shell. However, since the users' home dirs are mounted with NFS4 (krb5), they do not always get access to the home dir. a manual kinit -f right after log in always fixes this problem. Then, a login to [xgk]dm works normally. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 fischer@td.mw.tum.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |ASSIGNED Info Provider|fischer@td.mw.tum.de | -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jsuchome@novell.com AssignedTo|jsuchome@novell.com |mc@novell.com Status|ASSIGNED |NEW ------- Comment #7 from jsuchome@novell.com 2007-01-25 00:34 MST ------- Could you please attach the requested files? (see comment #4) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 jsuchome@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |fischer@td.mw.tum.de -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #8 from fischer@td.mw.tum.de 2007-02-01 07:07 MST ------- Created an attachment (id=116827) --> (https://bugzilla.novell.com/attachment.cgi?id=116827&action=view) pamd common-auth file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #9 from fischer@td.mw.tum.de 2007-02-01 07:08 MST ------- Created an attachment (id=116828) --> (https://bugzilla.novell.com/attachment.cgi?id=116828&action=view) pamd common-account file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 fischer@td.mw.tum.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|fischer@td.mw.tum.de | ------- Comment #10 from fischer@td.mw.tum.de 2007-02-01 07:11 MST ------- Created an attachment (id=116829) --> (https://bugzilla.novell.com/attachment.cgi?id=116829&action=view) messages log file -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #11 from fischer@td.mw.tum.de 2007-02-01 07:17 MST ------- Sorry for the delay, but I was out of office. Here's some additional information on what happens: ====== galadriel login: fischer Password: Last login: Thu Feb 1 14:54:07 CET 2007 on tty3 Have a lot of fun... No directory /nfs/home/fischer! Logging in with home = "/". ====== So no access to home directory here. This is where all the gssd errors in /var/log/messages appear. Further digging shows: ===== galadriel /> klist -e klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1026) Kerberos 4 ticket cache: /tmp/tkt1026 klist: You have no tickets cached ===== So one can perform a kinit manually, from which point on everything works as desired. Now here comes the interesting part: If I do a kdestroy right after the kinit, plus manually delete my credenitials cache (/tmp/krb5cc_1026), it still works, until the tgt obtained by the kinit expires. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |fischer@td.mw.tum.de ------- Comment #12 from mc@novell.com 2007-02-01 07:41 MST ------- Please have a look in /etc/passwd . Exists the user "fischer" there too? If yes, this could be the problem. I only see pam_krb5 session debug messages. It looks like auth and account were never called. If the "local user" is not you problem please add debug to all pam modules. $> pam-config -a --pam-debug repeat the test and send /var/log/messages again. Then we might see which module return "success" on auth and account. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 fischer@td.mw.tum.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|fischer@td.mw.tum.de | ------- Comment #13 from fischer@td.mw.tum.de 2007-02-01 08:40 MST ------- Created an attachment (id=116857) --> (https://bugzilla.novell.com/attachment.cgi?id=116857&action=view) log files (all pam modules with added debug flags) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #14 from fischer@td.mw.tum.de 2007-02-01 08:43 MST ------- No local users (except the default ones installed by the system) are present; no user "fischer" and no user with uid 1026 (the "remote" uid) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |fischer@td.mw.tum.de ------- Comment #15 from mc@novell.com 2007-02-01 09:12 MST ------- Funny: Feb 1 16:33:36 galadriel login[4409]: pam_unix2(login:auth): pam_sm_authenticate: PAM_SUCCESS Feb 1 16:33:36 galadriel login[4409]: pam_unix2(login:account): pam_sm_acct_mgmt() called Feb 1 16:33:36 galadriel login[4409]: pam_unix2(login:account): username=[fischer] Feb 1 16:33:36 galadriel login[4409]: pam_unix2(login:account): expire() returned with 0 Feb 1 16:33:36 galadriel login[4409]: pam_krb5[4409]: configured realm 'TD.MW.TUM.DE' The user is authenticated by pam_unix2 and not by pam_krb5 . This means pam_unix2 find the user somewhere. Question: do you still have the old pam_unix2 config file? (/etc/security/pam_unix2.conf) If yes, please remove it. It is not needed anymore in 10.2 . -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 fischer@td.mw.tum.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|fischer@td.mw.tum.de | ------- Comment #16 from fischer@td.mw.tum.de 2007-02-01 09:40 MST ------- No /etc/security/pam_unix2.conf is not found. maybe pam_unix2 finds the user via ldap? It's the only guess I have, because there is no local information about a user "fischer". -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |fischer@td.mw.tum.de ------- Comment #17 from mc@novell.com 2007-02-02 01:51 MST ------- pam_unix2 cannot search LDAP. Here are my last two ideas : 1) Do you have configured NIS or NIS+? 2) Exists the user "fischer" in /etc/shadow? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #18 from kukuk@novell.com 2007-02-02 03:26 MST ------- pam_unix2 uses getpwnam(). getpwnam() calls nss_ldap. It seems in this case, the LDAP server is configured to provide passwords to getpwnam() calls and not to do the authentication themself. So pam_unix2 will get accounts and password from getpwnam() calls and can do the authentication. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #19 from mc@novell.com 2007-02-02 04:22 MST ------- Hmm, if this is the case, then deleting the user password from ldap should fix the problem. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 fischer@td.mw.tum.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|fischer@td.mw.tum.de | ------- Comment #20 from fischer@td.mw.tum.de 2007-02-02 07:52 MST ------- Nope, NIS/NIS+ is not configued and /etc/shadow does not contain any such user. I'll try removing user password from the ldap database temporarily on Monday, but it's not a solution as the user password is needed for some other service in the network for the time being. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #21 from fischer@td.mw.tum.de 2007-02-05 01:04 MST ------- Removing userPassword from the LDAP database appears to fix the problem (see comment #20) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 mc@novell.com changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID ------- Comment #22 from mc@novell.com 2007-02-05 02:06 MST ------- Ok, then it is a missconfiguration of your LDAP server. an anonymous user should not be able to read the userpassword there. The "auth" permission should be enough to authenticate against LDAP. If you use openldap the following ACL should do the job: access to attrs=userPassword,userPKCS12 by self write by * auth -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 ------- Comment #23 from fischer@td.mw.tum.de 2007-02-06 07:42 MST ------- This indeed fixes the issue. I'm not sure why, but it does. Sorry for misposting. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
https://bugzilla.novell.com/show_bug.cgi?id=231262 fischer@td.mw.tum.de changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug, or are watching someone who is.
participants (1)
-
bugzilla_noreply@novell.com