Problem with kdm4, Kerberos and NFSv4

Hello,

I have configured /etc/pam.d/kde as follows:
Code:
#
# $FreeBSD: tags/RELEASE_10_1_0/security/pam_kde/files/kde 340872 2014-01-24 00:14:07Z mat $
#
# PAM configuration for the "kde" service
#

# auth
auth        sufficient    pam_krb5.so        no_warn try_first_pass
#auth        sufficient    pam_ssh.so        no_warn try_first_pass
auth        required    pam_unix.so        no_warn try_first_pass

# account
account        required    pam_nologin.so
account    required    pam_krb5.so
account        required    pam_unix.so

# session
#session    optional    pam_ssh.so        want_agent
session    required    pam_mkhomedir.so
session        required    pam_permit.so

Other pam.d files are also configured to use Kerberos. NFSv4 file systems are mounted during system boot, and are also configured to use Kerberos.

When I log in from the console I can access these NFSv4 file systems as expected. When I do a klist I get a list of granted tickets. After that I do a kdestroy, and start KDE service kdm4 onestart. When I login in kdm4 I cannot access the mounted file systems. When I do a klist, I get the message that the ticket file is not found. Only after a kinit I get access to the mounted file systems.

It seems as if kdm4 does use the PAM configuration to grant me access, but that the received ticket is not stored in the ticket file. The pam_krb5.so used is the same as is used by the 'normal' login, so the problem seems to be caused by kdm4. I have studied the pam_krb5.so man page, but I cannot find an option that would solve this problem.

Any suggestions on how to fix this?

Thanks.
 
I have enabled debug logging and I think it may be a bug in the way kdm handles pam. These are the lines in the log just before pam handling is interrupted:
Code:
Dec  4 17:37:38 myserver kdm: :0[1047]: in pam_sm_acct_mgmt(): Got credentials
Dec  4 17:37:38 myserver kdm: :0[1047]: in pam_sm_acct_mgmt(): Context initialised
Dec  4 17:37:38 myserver kdm: :0[1047]: in pam_sm_acct_mgmt(): Got ccache MEMORY:0x802c164c0
Dec  4 17:37:38 myserver kdm: :0[1047]: in pam_sm_acct_mgmt(): Got principal
Dec  4 17:37:38 myserver kdm: :0[1047]: in pam_sm_acct_mgmt(): Done kuserok()
Dec  4 17:37:38 myserver kdm: :0[1047]: in pam_sm_acct_mgmt(): Done cleanup
Dec  4 17:37:38 myserver kdm: :0[1047]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5: pam_sm_acct_mgmt(): success
Dec  4 17:37:38 myserver kdm: :0[1047]: in openpam_dispatch(): calling pam_sm_setcred() in /usr/lib/pam_krb5.so.5
Dec  4 17:37:38 myserver kdm: :0[1047]: in openpam_dispatch(): /usr/lib/pam_krb5.so.5: pam_sm_setcred(): error in service module
When I log in from the console I get more or less the same until pam_sm_setcred(), but in that case the function continues successfully:
Code:
Dec  4 20:42:04 myserver login: in pam_sm_acct_mgmt(): Got credentials
Dec  4 20:42:04 myserver login: in pam_sm_acct_mgmt(): Context initialised
Dec  4 20:42:04 myserver login: in pam_sm_acct_mgmt(): Got ccache MEMORY:0x801831440
Dec  4 20:42:04 myserver login: in pam_sm_acct_mgmt(): Got principal
Dec  4 20:42:04 myserver login: in pam_sm_acct_mgmt(): Done kuserok()
Dec  4 20:42:04 myserver login: in pam_sm_acct_mgmt(): Done cleanup
Dec  4 20:42:04 myserver login: in openpam_dispatch(): /usr/lib/pam_krb5.so.5: pam_sm_acct_mgmt(): success
Dec  4 20:42:04 myserver login: in openpam_dispatch(): calling pam_sm_setcred() in /usr/lib/pam_krb5.so.5
Dec  4 20:42:04 myserver login: in openpam_get_option(): entering: 'no_ccache'
Dec  4 20:42:04 myserver login: in openpam_get_option(): returning NULL
Dec  4 20:42:04 myserver login: in openpam_get_option(): entering: 'no_user_check'
Dec  4 20:42:04 myserver login: in openpam_get_option(): returning NULL
Dec  4 20:42:04 myserver login: in pam_sm_setcred(): Establishing credentials
Dec  4 20:42:04 myserver login: in pam_get_item(): entering: PAM_USER
Dec  4 20:42:04 myserver login: in pam_get_item(): returning PAM_SUCCESS
Dec  4 20:42:04 myserver login: in pam_sm_setcred(): Got user: testuser
more lines follow...

When I look in /usr/src/lib/libpam/modules/pam_krb5/pam_krb5.c the only way this can occur is when pam_sm_setcred() is called with the PAM_ESTABLISH_CRED flag not set.

Is this correct?
 
After further testing and modifying I can confirm this is a problem in either kdm4 or pam_krb5. I modified kde4-workspace-4.11.13/kdm/backend/client.c line 1545:

Code:
    saved_env = environ;
    environ = pam_env;
# endif
    removeCreds = True; /* set it first - i don't trust PAM's rollback */
    pretc = pam_setcred(pamh, 0);
    reInitErrorLog();
# ifndef HAVE_PAM_GETENVLIST
    pam_env = environ;
to
Code:
    saved_env = environ;
    environ = pam_env;
# endif
    removeCreds = True; /* set it first - i don't trust PAM's rollback */
    pretc = pam_setcred(pamh, PAM_ESTABLISH_CRED);
    reInitErrorLog();
# ifndef HAVE_PAM_GETENVLIST
    pam_env = environ;
    environ = saved_env;
And now it works.

The problem is that the function pam_setcred() has no consistent documentation over different platforms. http://www-01.ibm.com/support/knowledgecenter/ssw_aix_61/com.ibm.aix.basetrf1/pam_setcred.htm for example states that PAM_ESTABLISH_CRED is default when no other option is set while pam_setcred(3) makes no mention of this.

Should I post this as a bug, and if so, to whom?
 
Back
Top