Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 11 Feb 2011 14:56:25 GMT
From:      Martin Schweizer  <office@pc-service.ch>
To:        freebsd-gnats-submit@FreeBSD.org
Subject:   kern/154683: Allow pam_krb5 to authenticate no local users for other services
Message-ID:  <201102111456.p1BEuP2Z027794@red.freebsd.org>
Resent-Message-ID: <201102111500.p1BF0Mmm061571@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

>Number:         154683
>Category:       kern
>Synopsis:       Allow pam_krb5 to authenticate no local users for other services
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 11 15:00:22 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Martin Schweizer
>Release:        FreeBSD 8.1
>Organization:
PC-Service M. Schweizer GmbH
>Environment:
FreeBSD acsvfbsd04.acutronic.ch 8.1-RELEASE FreeBSD 8.1-RELEASE #2: Wed Oct 13 2 
23:46:17 CEST 2010     martin@acsvfbsd04.acutronic.ch:/usr/obj/usr/src/sys/GENERIC
>Description:
See also kern/76678

See the history of pam_krb5.c
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libpam/modules/pam_krb5/pam_krb5.c

Since I upgraded from 7.2 to 8.1 it is no more possible to use saslauthd -a pam against a Kerberos system (like Active Directory). I assume since the update was made regarding no_user_check. Before this changes all was working without any problems. 
/var/log/auth shows:
Feb 11 15:27:40 acsvfbsd04 saslauthd[2742]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found
Feb 11 15:27:40 acsvfbsd04 saslauthd[2742]: DEBUG: auth_pam: pam_acct_mgmt failed: unknown user
Feb 11 15:27:40 acsvfbsd04 saslauthd[2742]: do_auth         : auth failure: [user=username] [service=imap] [realm=] [mech=pam] [reason=PAM acct error]

The entry "unknown user" point me to the idea that PAM checks against the local user base again. After I add the user username to the local user base (adduser username), the authentication works as expected.

Since Kerberos5 in the base system is broken (see http://www.freebsd.org/cgi/query-pr.cgi?pr=151444) there is no more option to authenticate against Active Directory.

>How-To-Repeat:
I used imtest from ports/cyrus-imapd24:
imtest -u username localhost
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201102111456.p1BEuP2Z027794>