Bug 156541

Summary: yast-krb5-client fails to add pam_krb5-module to pam.d/common-session
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Reinhard Moosauer <rm>
Component: YaST2Assignee: Michael Calmer <mc>
Status: RESOLVED DUPLICATE QA Contact: Klaus Kämpf <kkaempf>
Severity: Normal    
Priority: P5 - None CC: jsuchome, kukuk, schuetzm
Version: Final   
Target Milestone: ---   
Hardware: i686   
OS: SuSE Linux 10.0   
Whiteboard:
Found By: Integration Test Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Reinhard Moosauer 2006-03-09 15:57:27 UTC 
When activating kerberos in yast,
some changes to the pam-configuration are made.
Unfortunately, yast forgets to add:

session optional  pam_krb.so

As a result, no krb5-ticket is generated at login-time and user has to
do 'kinit' afterwards. 

Please fix this.
----------------
In /etc/krb5.conf -> appdefaults->pam these extra settings would be fine:
external = sshd
use_shmem = sshd

This is necessary to get full functionality at ssh login.
Thanks,

Reinhard
Comment 1 Jiří Suchomel 2006-03-09 16:13:19 UTC 
yast2-kerberos-client doesn't edit any file under /etc/pam.d. 

Michael, could you comment the /etc/krb5.conf proposal?
Comment 2 Reinhard Moosauer 2006-03-09 16:21:23 UTC 
yast2-kerberos-client changes /etc/security/pam_unix2.conf and adds
use_krb5 to auth, account and passwd

BUT not session!
Comment 3 Michael Calmer 2006-03-09 17:01:36 UTC 
Adding use_krb5 to session in /etc/security/pam_unix2.conf has not the same effect as to add 

session optional pam_krb5.so 

to /etc/pam.d/common-session. I do not know why. Thorsten?

The other two parameter might be a good idea for the future, but we are a little bit late for this feature now. 

See also Bug #154977: It also discusses the problem with no tickets after ssh login. This is more a bug in ssh than in pam or our pam configuration.
Comment 4 Jiří Suchomel 2006-03-10 10:21:01 UTC 
Michael, it's for you to decide what to do. Reassing back to me when it is clear.

(btw, the report is for 10.0)
Comment 5 Michael Calmer 2006-03-13 12:21:12 UTC 
Well this bug is for 10.0 and adding new features is not possible.
For Future versions we have Bug #154977. So let's close this with
duplicate. 
But I think we need a solution from openssh team. So it will take some time to fix this.

*** This bug has been marked as a duplicate of 154977 ***