[28838] in Kerberos

home help back first fref pref prev next nref lref last post

Re: pam-krb5 3.9 released

daemon@ATHENA.MIT.EDU (Russ Allbery)
Mon Dec 3 14:32:49 2007

To: kerberos@mit.edu
In-Reply-To: <firuf1$tqe$1@ger.gmane.org> (Markus Moeller's message of "Sat\,
	1 Dec 2007 15\:26\:09 -0000")
From: Russ Allbery <rra@stanford.edu>
Date: Mon, 03 Dec 2007 11:32:26 -0800
Message-ID: <87aborh8vp.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

"Markus Moeller" <huaraz@moeller.plus.com> writes:

> I have a problem with pam_sm_setcred when authenticating non local users. I 
> have in my pam file the following
>
> application auth required pam-krb5-3.9 no_ccache
> application account required pam-krb5-3.9 no_ccache
> application session required pam_dummy
>
> to authenticate users of an application with Kerberos. Unfortunatly the
> application uses also a pam_setcred and pam_sm_open/close_session calls
> and pam_sm_setcred fails because in pam_sm_setcred the pamret =
> pamk5_context_fetch(args) call fails and sets the return code to 24
> (Module specific data not found). You nicely jump over getpwnam when
> no_ccache is selected but I think in the case of no_ccache a failure of
> pamk5_context_fetch shouldn't be fatal.
>
> Can this be changed in the next release ?

Yeah, I think this was actually an accident caused by other changes.  I
used to initialize the PAM return value to success.  I think this patch
will do what you want and is correct.  It'll be in the next release.

=== modified file 'api-auth.c'
--- api-auth.c  2007-09-30 08:33:55 +0000
+++ api-auth.c  2007-12-03 19:29:09 +0000
@@ -476,8 +476,10 @@
     }
 
     /* If configured not to create a cache, we have nothing to do. */
-    if (args->no_ccache)
+    if (args->no_ccache) {
+        pamret = PAM_SUCCESS;
         goto done;
+    }
 
     /*
      * Reinitialization requested, which means that rather than creating a new

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
home help back first fref pref prev next nref lref last post