/etc/krb5.conf options seem to be ignored by pam_krb5.so
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
libpam-krb5 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
Looks like set [appdefaults] for pam are ignored by pam_krb5.so:
[appdefaults]
forwardable = true
noaddresses = true
proxiable = true
pam = {
minimum_uid = 1000
alt_auth_
ccache_dir = /tmp/krb5cc
ccache = DIR:/tmp/
}
I'd expect this to create
/tmp/krb5cc/
but:
/tmp/krb5cc_<uid> is used.
Same if I add these options to
-rw-r--r-- 1 root root 1360 Nov 18 12:25 /etc/pam.
-rw-r--r-- 1 root root 1383 Nov 18 12:24 /etc/pam.
-rw-r--r-- 1 root root 1690 Nov 18 12:25 /etc/pam.
-rw-r--r-- 1 root root 1675 Nov 18 12:25 /etc/pam.
-rw-r--r-- 1 root root 1483 Nov 18 12:26 /etc/pam.
"man pam_krb5" states:
pam = {
}
It should work. But does not. It just does not make any difference if [appdefaults] is there or not.
ProblemType: Bug
DistroRelease: Ubuntu 19.10
Package: libpam-krb5:amd64 4.8-2
ProcVersionSign
Uname: Linux 5.3.0-23-generic x86_64
ApportVersion: 2.20.11-0ubuntu8.2
Architecture: amd64
Date: Mon Nov 18 13:24:53 2019
InstallationDate: Installed on 2019-09-09 (69 days ago)
InstallationMedia: Xubuntu 19.04 "Disco Dingo" - Release amd64 (20190416)
ProcEnviron:
LANGUAGE=de_DE
TERM=screen
PATH=(custom, no user)
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: libpam-krb5
UpgradeStatus: No upgrade log present (probably fresh install)
Thomas Schweikle <email address hidden> writes:
> Looks like set [appdefaults] for pam are ignored by pam_krb5.so:
> [appdefaults] map=root/ %s krb5cc/ %u_XXXXXX
> forwardable = true
> noaddresses = true
> proxiable = true
> pam = {
> minimum_uid = 1000
> alt_auth_
> ccache_dir = /tmp/krb5cc
> ccache = DIR:/tmp/
> }
> I'd expect this to create
> /tmp/krb5cc/ 1000_NvfDse
> but:
> /tmp/krb5cc_<uid> is used.
> Same if I add these options to
> -rw-r--r-- 1 root root 1360 Nov 18 12:25 /etc/pam. d/common- account d/common- auth d/common- password d/common- session d/common- session- noninteractive
> -rw-r--r-- 1 root root 1383 Nov 18 12:24 /etc/pam.
> -rw-r--r-- 1 root root 1690 Nov 18 12:25 /etc/pam.
> -rw-r--r-- 1 root root 1675 Nov 18 12:25 /etc/pam.
> -rw-r--r-- 1 root root 1483 Nov 18 12:26 /etc/pam.
I'm pretty sure this means that either pam_krb5 is not running or is using
some other configuration. It seems unlikely that it's just ignoring
option settings.
Are you running some other Kerberos-aware PAM module (such as sssd) that
might be setting up the ticket cache instead?
Adding debug to the end of the pam_krb5.so options will produce more
verbose logging. If you don't see any additional logging at DEBUG level
in syslog, that means that the module isn't running at all.
-- /www.eyrie. org/~eagle/>
Russ Allbery (<email address hidden>) <https:/