Your message dated Sun, 22 Feb 2009 05:50:16 +0100
with message-id <[email protected]>
and subject line Re: Bug#516505: libpam-krb5: fails on account when not used
for auth
has caused the Debian Bug report #516505,
regarding libpam-krb5: fails on account when not used for auth
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
516505: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=516505
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-krb5
Version: 3.11-4
Severity: important
Ever since I upgraded to Lenny, I cannot use GSSAPI to log in over SSH, and
the problem seems to be with pam_krb5. When I turn on debug logging on it
through PAM, I get the following messages:
Feb 21 23:25:23 sosumi sshd[2506]: Authorized to fredrik, krb5 principal
[email protected] (krb5_kuserok)
Feb 21 23:25:23 sosumi sshd[2506]: (pam_krb5): none: pam_sm_acct_mgmt: entry
(0x0)
Feb 21 23:25:23 sosumi sshd[2506]: (pam_krb5): none: skipping non-Kerberos login
Feb 21 23:25:23 sosumi sshd[2506]: (pam_krb5): none: pam_sm_acct_mgmt: exit
(failure)
Feb 21 23:25:23 sosumi sshd[2507]: fatal: Access denied for user fredrik by PAM
account configuration
This is weird, though, because looking at the source, it seems it should
work differently. Apparently, it does correctly detect that it was not used
for authentication, and the corresponding part of the source looks like
this:
if (pamret != PAM_SUCCESS || args->ctx == NULL) {
pamret = PAM_IGNORE;
pamk5_debug(args, "skipping non-Kerberos login");
goto done;
}
[...]
done:
EXIT(args, pamret);
pamk5_args_free(args);
return pamret;
}
The EXIT macro looks like this:
#define EXIT(args, pamret) \
pamk5_debug((args), "%s: exit (%s)", __func__, \
((pamret) == PAM_SUCCESS) ? "success" \
: (((pamret) == PAM_IGNORE) ? "ignore" : "failure"))
So, apparently, pamret is set to PAM_IGNORE, but even in spite of that,
the function exits with some pamret different from PAM_SUCCESS or
PAM_IGNORE, even though there's no code in between. I have not yet been
able to find it why, but I will continue debugging.
Additionally, this particular output is from a PPC machine, but the same
thing happens on my i386 machines.
-- System Information:
Debian Release: 5.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.26-1-powerpc
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-krb5 depends on:
ii krb5-config 1.22 Configuration files for Kerberos V
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libkrb53 1.6.dfsg.4~beta1-5 MIT Kerberos runtime libraries
ii libpam0g 1.0.1-5 Pluggable Authentication Modules l
libpam-krb5 recommends no packages.
libpam-krb5 suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
On Sat, 2009-02-21 at 15:16 -0800, Russ Allbery wrote:
> You're looking at the wrong source code to diagnose a problem with
> lenny.
> The above is the code from 3.12 or later, but lenny released with 3.11,
> which logs ignore (incorrectly) as failure.
Oh, you're right. Apprently apt-get source downloaded 3.13 even though
3.11 is the binary installation candidate. I didn't notice that.
I was just hung up on that. You were right, and my PAM configuration was
a bit broken. I'll close the bug. Sorry for the noise. :)
Fredrik Tolf
--- End Message ---
