NetBSD Problem Report #45263
From www@NetBSD.org Thu Aug 18 05:46:01 2011
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [204.152.190.11])
by www.NetBSD.org (Postfix) with ESMTP id B580363CA38
for <gnats-bugs@gnats.NetBSD.org>; Thu, 18 Aug 2011 05:46:00 +0000 (UTC)
Message-Id: <20110818054559.B085763B89A@www.NetBSD.org>
Date: Thu, 18 Aug 2011 05:45:59 +0000 (UTC)
From: idleroux@fastmail.fm
Reply-To: idleroux@fastmail.fm
To: gnats-bugs@NetBSD.org
Subject: [PATCH] mk.conf(5) should warn of the interaction between MKKERBEROS=no and PAM
X-Send-Pr-Version: www-1.0
>Number: 45263
>Category: misc
>Synopsis: [PATCH] mk.conf(5) should warn of the interaction between MKKERBEROS=no and PAM
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: misc-bug-people
>State: closed
>Class: doc-bug
>Submitter-Id: net
>Arrival-Date: Thu Aug 18 05:50:01 +0000 2011
>Closed-Date: Mon Aug 22 02:42:13 +0000 2011
>Last-Modified: Mon Aug 22 02:42:13 +0000 2011
>Originator: Ian D. Leroux
>Release: NetBSD/amd64-5.99.55
>Organization:
Aarhus Universitet
>Environment:
NetBSD scrameustache.dyndns.org 5.99.55 NetBSD 5.99.55 (SCRAMEUSTACHE) #1: Sat Jul 30 10:04:27 CEST 2011 idleroux@scrameustache.dyndns.org:/build/obj/sys/arch/amd64/compile/SCRAMEUSTACHE amd64
>Description:
As discussed in PR 40599 and in the recent subthread beginning at
http://mail-index.netbsd.org/current-users/2011/08/11/msg017330.html,
setting MKKERBEROS=no breaks the default PAM stacks, which fail if pam_ksu.so and pam_krb5.so cannot be found. Among other things, this means that a system built with MKKERBEROS=no does not, by default, allow any logins.
The proper fix for this is still a subject of debate, and may take some time. Meanwhile, the user should be warned that setting MKKERBEROS=no requires adjustments to their PAM configuration.
>How-To-Repeat:
man mk.conf
>Fix:
--- mk.conf.5.orig 2011-08-18 07:09:08.000000000 +0200
+++ mk.conf.5 2011-08-18 07:26:53.000000000 +0200
@@ -424,6 +424,13 @@
.YorN
Indicates whether the Kerberos v5 infrastructure
(libraries and support programs) is built and installed.
+Note that the default configuration for PAM relies on the Kerberos
+modules pam_ksu.so and pam_krb5.so. Do not install a userland
+built with
+.Sy MKKERBEROS=yes
+before adjusting the PAM configuration appropriately
+(see
+.Xr pam.conf 5 ).
.DFLTy
.
.It Sy MKKMOD
>Release-Note:
>Audit-Trail:
From: "David A. Holland" <dholland@netbsd.org>
To: gnats-bugs@gnats.NetBSD.org
Cc:
Subject: PR/45263 CVS commit: src/share/man/man5
Date: Mon, 22 Aug 2011 02:37:15 +0000
Module Name: src
Committed By: dholland
Date: Mon Aug 22 02:37:15 UTC 2011
Modified Files:
src/share/man/man5: mk.conf.5
Log Message:
Until someone figures out a fix for PR 40599, document that MKKERBEROS=no
will break the system without either MKPAM=no or a customized PAM config.
As suggested by Ian D. Leroux on current-users and in PR 45263, but with
different text.
To generate a diff of this commit:
cvs rdiff -u -r1.56 -r1.57 src/share/man/man5/mk.conf.5
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
State-Changed-From-To: open->closed
State-Changed-By: dholland@NetBSD.org
State-Changed-When: Mon, 22 Aug 2011 02:42:13 +0000
State-Changed-Why:
good idea, thanks
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.