Ubuntu
libpam-krb5 package

/etc/krb5.conf options seem to be ignored by pam_krb5.so

Bug #1852997 reported by Thomas Schweikle
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libpam-krb5 (Ubuntu)
New
Undecided
Unassigned

Bug Description

Looks like set [appdefaults] for pam are ignored by pam_krb5.so:

[appdefaults]
 forwardable = true
 noaddresses = true
 proxiable = true
 pam = {
  minimum_uid = 1000
  alt_auth_map=root/%s
  ccache_dir = /tmp/krb5cc
  ccache = DIR:/tmp/krb5cc/%u_XXXXXX
 }

I'd expect this to create

/tmp/krb5cc/1000_NvfDse

but:

/tmp/krb5cc_<uid> is used.

Same if I add these options to

-rw-r--r-- 1 root root 1360 Nov 18 12:25 /etc/pam.d/common-account
-rw-r--r-- 1 root root 1383 Nov 18 12:24 /etc/pam.d/common-auth
-rw-r--r-- 1 root root 1690 Nov 18 12:25 /etc/pam.d/common-password
-rw-r--r-- 1 root root 1675 Nov 18 12:25 /etc/pam.d/common-session
-rw-r--r-- 1 root root 1483 Nov 18 12:26 /etc/pam.d/common-session-noninteractive

"man pam_krb5" states:

           [appdefaults]
               forwardable = true
               pam = {
                   minimum_uid = 1000
                   EXAMPLE.COM = {
                       ignore_k5login = true
                   }
               }

It should work. But does not. It just does not make any difference if [appdefaults] is there or not.

ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: libpam-krb5:amd64 4.8-2
ProcVersionSignature: Ubuntu 5.3.0-23.25-generic 5.3.7
Uname: Linux 5.3.0-23-generic x86_64
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
Date: Mon Nov 18 13:24:53 2019
InstallationDate: Installed on 2019-09-09 (69 days ago)
InstallationMedia: Xubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
ProcEnviron:
 LANGUAGE=de_DE
 TERM=screen
 PATH=(custom, no user)
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: libpam-krb5
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Thomas Schweikle (tps) wrote :
Revision history for this message
Russ Allbery (rra-debian) wrote : Re: [Bug 1852997] [NEW] /etc/krb5.conf options seem to be ignored by pam_krb5.so

Thomas Schweikle <email address hidden> writes:

> Looks like set [appdefaults] for pam are ignored by pam_krb5.so:

> [appdefaults]
> forwardable = true
> noaddresses = true
> proxiable = true
> pam = {
> minimum_uid = 1000
> alt_auth_map=root/%s
> ccache_dir = /tmp/krb5cc
> ccache = DIR:/tmp/krb5cc/%u_XXXXXX
> }

> I'd expect this to create

> /tmp/krb5cc/1000_NvfDse

> but:

> /tmp/krb5cc_<uid> is used.

> Same if I add these options to

> -rw-r--r-- 1 root root 1360 Nov 18 12:25 /etc/pam.d/common-account
> -rw-r--r-- 1 root root 1383 Nov 18 12:24 /etc/pam.d/common-auth
> -rw-r--r-- 1 root root 1690 Nov 18 12:25 /etc/pam.d/common-password
> -rw-r--r-- 1 root root 1675 Nov 18 12:25 /etc/pam.d/common-session
> -rw-r--r-- 1 root root 1483 Nov 18 12:26 /etc/pam.d/common-session-noninteractive

I'm pretty sure this means that either pam_krb5 is not running or is using
some other configuration. It seems unlikely that it's just ignoring
option settings.

Are you running some other Kerberos-aware PAM module (such as sssd) that
might be setting up the ticket cache instead?

Adding debug to the end of the pam_krb5.so options will produce more
verbose logging. If you don't see any additional logging at DEBUG level
in syslog, that means that the module isn't running at all.

--
Russ Allbery (<email address hidden>) <https://www.eyrie.org/~eagle/>

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.