FC3 Bug Week - HELP WANTED

Nalin Dahyabhai nalin at redhat.com
Fri Sep 24 21:23:09 UTC 2004


On Fri, Sep 24, 2004 at 03:07:56PM -0600, Stephen J. Smoogen wrote:
> On Fri, 24 Sep 2004 16:32:01 -0400, Nalin Dahyabhai <nalin at redhat.com> wrote:
> > On Fri, Sep 24, 2004 at 04:12:00PM -0400, Rik van Riel wrote:
> > > On Fri, 24 Sep 2004, Stephen J Smoogen wrote:
> > >
> > > > Is having pam_krb5 not kill your login process when you have a local
> > > > password and pam_krb5 is listed as optional... a bug or an RFE?
> > >
> > > Not sure.   Nalin ?
> > 
> > In all seriousness, that depends on what you mean by "kill".  Crash?
> > Bug.  Access denied?  If it's a legitimate denial, not a bug because the
> > alternative could be far worse.
> 
> Ok the original bug was 79853. I dont remember closing it.. but it
> looks like I did. I also thought I answered Nalins question on that
> bug.. but I cant find that either.. my apologies Nalin.

No worries.  It may have been happened in a private email, I think we've
exchanged a few of those.

> To give you an answer, I get a hang that does not return and login
> finally kills itself.

Given the configuration file you listed, I'd suspect a network timeout
in the account management check (either attempting to resolve the KDC's
host name, or in contacting the KDC).

Disabling such a check adds the risk of not denying access to someone
for whom access should be denied, so that's not something I can
recommend as a general solution -- unlike the authentication check,
where any module can give the user a thumbs-up, for account management
you need for any module to be able to torpedo the user's login attempt.

The timeouts in libkrb5 aren't adjustable, either, at least not if
you're playing by the rules (and maybe not at all in 1.3 -- I last
looked at this part of it in 1.2), so I don't really have a good answer
for this problem.

HTH,

Nalin





More information about the fedora-devel-list mailing list