[Bug 971253] Re: only krb5 results in broken common-passwd

Brian J. Murrell brian at interlinx.bc.ca
Tue Apr 3 17:31:38 UTC 2012 

On 12-04-03 12:09 PM, Steve Langasek wrote:
> Ok, this is bug #826989, which is fixed in precise.

Ahh.  OK.  So was the /usr/share/pam-configs/krb5 that I pasted above
what's in libpam-krb5-4.4-1ubuntu1 or not?  If it's not I want to make
sure I am using the one that is shipped.

> libpam-krb5 (4.4-3) unstable; urgency=low
> 
>   * Change the pam-auth-update configuration to skip remaining password
>     stack by default modules if the Kerberos password change succeeds.
>     This is more useful behavior for the common case of Kerberos accounts
>     not having local passwords.  See README.Debian.gz for information
>     about how to synchronize Kerberos and local passwords.  (LP: #826989)

Will this be backported to Oneiric and Lucid?  It should be.  Lucid is
(still current) LTS and Oneiric is current, despite Precise waiting on-deck.

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to pam in Ubuntu.
https://bugs.launchpad.net/bugs/971253

Title:
  only krb5 results in broken common-passwd

Status in “pam” package in Ubuntu:
  Fix Released

Bug description:
  Using pam-auth-update if I select only krb5 for authentication (that
  is, unselect pam_unix and pam_ldap if installed) I get a broken
  passwd-common pam file:

  # here are the per-package modules (the "Primary" block)
  password	requisite			pam_krb5.so minimum_uid=1000
  # here's the fallback if no module succeeds
  password	requisite			pam_deny.so
  # prime the stack with a positive return value if there isn't one already;
  # this avoids us returning an error just because nothing sets a success code
  # since the modules above will each just jump around
  password	required			pam_permit.so
  # and here are more per-package modules (the "Additional" block)
  password	optional	pam_gnome_keyring.so 
  password	optional	pam_ecryptfs.so 
  # end of pam-auth-update config

  The problem here is clearly that pam_deny.so immediately follows
  pam_krb5.so with no "goto" option specified on the pam_krb5.so line to
  skip the pam_deny.so line if it's successful.

  ProblemType: Bug
  DistroRelease: LinuxMint 12
  Package: libpam-runtime 1.1.3-2ubuntu2.1
  ProcVersionSignature: Ubuntu 3.0.0-16.29-generic-pae 3.0.20
  Uname: Linux 3.0.0-16-generic-pae i686
  ApportVersion: 1.23-0ubuntu4
  Architecture: i386
  Date: Mon Apr  2 00:04:36 2012
  ProcEnviron:
   PATH=(custom, user)
   LANG=en_CA.UTF-8
   SHELL=/bin/bash
  SourcePackage: pam
  UpgradeStatus: Upgraded to lisa on 2007-04-05 (1823 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam/+bug/971253/+subscriptions

More information about the foundations-bugs mailing list