Kerberous broken for ksu MIT 1.11.3YAST package distro Problem Solved

rmccorklrmccorkl · February 11, 2014, 10:46pm

Install kerberos5 and successfully configure a KDC on a server using the yast krb5, this is a distro problem with opensuse 13.1

SUMMARY: Missing PAM file /etc/pam.d/ksu , and wrong file descriptor

Background

Using some old SUSE how-tos

http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.net.kerberos.html#sec.kerbadmin.kdc.princ

Though the majority installation work the system refused to authorise a ksu sessions

This was typical output from ksu failed

ksuaccount1@dc2:~> ksu
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for account1/root@UNIX1.FOREST1.POC.NET: :
Authenticated account1/root@UNIX1.FOREST1.POC.NET
Access denied for root.
Using “journalctl -f” the following errors could be seen
Feb 11 18:20:03 dc2 slapd[1661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb 11 18:20:03 dc2 ksu[13086]: ‘ksu root’ authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/5
Feb 11 18:20:03 dc2 ksu[13086]: pam_warn(ksu:account): function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/5] user=[root] ruser=[account1] rhost=<unknown>]

Scouring the forums I could find no solution but the problem was two fold

klist showed part of the problem with are reference to a directory file descriptoraccount1@dc2:~> klist
Ticket cache: DIR::/run/user/1000/krb5cc/tktRIM8Eb
Default principal: account1@UNIX1.FOREST1.POC.NET

Valid starting Expires Service principal
11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET

The realisation was ksu was not referencing the cached credentials
Hence, the system prompted for credentials the reason being the reference to the cache file used the wrong file descriptor stating DIR and should be a FILE

To correct thisaccount1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
account1@dc2:~> klist
Ticket cache: FILE:/run/user/1000/krb5cc/tktRIM8Eb
Default principal: account1@UNIX1.FOREST1.POC.NET

Valid starting Expires Service principal
11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET

account@dc2:~> ksu
Authenticated account1root@UNIX1.FOREST1.POC.NET
**Access denied for root. ** <------------------------------------- FINDS the Cache file and stops prompting but still have access denied

Now the problem was the “access denied” looking at the logs some evidence pointed to the pam files there was a direction to look at the “su-l” confdc2 su: pam_unix(**su-l:**session): session closed for user root
dc2 su: pam_systemd(**su-l:**session): pam_putenv: delete non-existent entry; XDG_RUNTIME_DIR
ddc2 su: pam_unix(**su-l:**auth): authentication failure; logname=

This was indicative but and sent the investigation around the houses looking at pam modulesdc2:/etc/pam.d # ls
atd common-account-pc common-password-pc cups login quagga su-l vmtoolsd
chage common-account.pam-config-backup common-password.pam-config-backup groupadd newusers remote sudo vmtoolsd.rpmnew
chfn common-auth common-session groupdel other samba systemd-user xdm
chpasswd common-auth-pc common-session-pc groupmod passwd smtp useradd xdm-np
chsh common-auth.pam-config-backup common-session.pam-config-backup init polkit-1 sshd userdel
common-account common-password crond k5backup ppp su usermod

Feb 11 18:51:13 dc2 ksu[13610]: ‘ksu root’ authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/7
Feb 11 18:51:13 dc2 slapd[1661]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb 11 18:51:13 dc2 ksu[13610]: **pam_warn(ksu:account): **function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/7] user=[root] ruser=[account1] rhost=<unknown>]

SOLUTION was a missing link or file to a pam file called ksu , which linked into the warning above :-dc2:/etc/pam.d # ln -s su-l ksu
dc2:/etc/pam.d # ls -la ksu
lrwxrwxrwx 1 root root 4 Feb 11 21:31 ksu -> su-l
dc2:/etc/pam.d # cat su-l
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so

**
Know everything works**account1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
account1@dc2:~> ksu
Authenticated account/root@UNIX1.FOREST1.POC.NET
Account root: authorization for account1/root@UNIX1.FOREST1.POC.NET successful
Changing uid to root (0)
dc2:/home/account1 #

The PAM modules was installed using the above how-to and
pam-config --add --krb5
This pam-config did not install this file or link.

Conclusion - Distro problem with krb5>:)

rmccorklrmccorkl · February 11, 2014, 11:44pm

rmccorklrmccorkl:

Install kerberos5 and successfully configure a KDC on a server using the yast krb5, this is a distro problem with opensuse 13.1

SUMMARY: Missing PAM file /etc/pam.d/ksu , and wrong file descriptor

Background

Using some old SUSE how-tos

http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.net.kerberos.html#sec.kerbadmin.kdc.princ

Though the majority installation work the system refused to authorise a ksu sessions

This was typical output from ksu failed

ksuaccount1@dc2:~> ksu
WARNING: Your password may be exposed if you enter it here and are logged
in remotely using an unsecure (non-encrypted) channel.
Kerberos password for account1/root@UNIX1.FOREST1.POC.NET: :
Authenticated account1/root@UNIX1.FOREST1.POC.NET
Access denied for root.

Using “journalctl -f” the following errors could be seen
Feb 11 18:20:03 dc2 slapd[1661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
Feb 11 18:20:03 dc2 ksu[13086]: ‘ksu root’ authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/5
Feb 11 18:20:03 dc2 ksu[13086]: pam_warn(ksu:account): function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/5] user=[root] ruser=[account1] rhost=<unknown>]

Scouring the forums I could find no solution but the problem was two fold

klist showed part of the problem with are reference to a directory file descriptoraccount1@dc2:~> klist
Ticket cache: DIR::/run/user/1000/krb5cc/tktRIM8Eb
Default principal: account1@UNIX1.FOREST1.POC.NET

Valid starting Expires Service principal
11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET

The realisation was ksu was not referencing the cached credentials
Hence, the system prompted for credentials the reason being the reference to the cache file used the wrong file descriptor stating DIR and should be a FILE

To correct thisaccount1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
account1@dc2:~> klist
Ticket cache: FILE:/run/user/1000/krb5cc/tktRIM8Eb
Default principal: account1@UNIX1.FOREST1.POC.NET

Valid starting Expires Service principal
11/02/14 18:20:22 12/02/14 01:00:22 krbtgt/UNIX1.FOREST1.POC.NET@UNIX1.FOREST1.POC.NET

account@dc2:~> ksu
Authenticated account1root@UNIX1.FOREST1.POC.NET
**Access denied for root. ** <------------------------------------- FINDS the Cache file and stops prompting but still have access denied

Now the problem was the “access denied” looking at the logs some evidence pointed to the pam files there was a direction to look at the “su-l” confdc2 su: pam_unix(**su-l:**session): session closed for user root
dc2 su: pam_systemd(**su-l:**session): pam_putenv: delete non-existent entry; XDG_RUNTIME_DIR
ddc2 su: pam_unix(**su-l:**auth): authentication failure; logname=

This was indicative but and sent the investigation around the houses looking at pam modulesdc2:/etc/pam.d # ls
atd common-account-pc common-password-pc cups login quagga su-l vmtoolsd
chage common-account.pam-config-backup common-password.pam-config-backup groupadd newusers remote sudo vmtoolsd.rpmnew
chfn common-auth common-session groupdel other samba systemd-user xdm
chpasswd common-auth-pc common-session-pc groupmod passwd smtp useradd xdm-np
chsh common-auth.pam-config-backup common-session.pam-config-backup init polkit-1 sshd userdel
common-account common-password crond k5backup ppp su usermod

Feb 11 18:51:13 dc2 ksu[13610]: ‘ksu root’ authenticated account1/root@UNIX1.FOREST1.POC.NET for account1 on /dev/pts/7
Feb 11 18:51:13 dc2 slapd[1661]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Feb 11 18:51:13 dc2 ksu[13610]: **pam_warn(ksu:account): **function=[pam_sm_acct_mgmt] service=[ksu] terminal=[/dev/pts/7] user=[root] ruser=[account1] rhost=<unknown>]

SOLUTION was a missing link or file to a pam file called ksu , which linked into the warning above :-dc2:/etc/pam.d # ln -s su-l ksu
dc2:/etc/pam.d # ls -la ksu
lrwxrwxrwx 1 root root 4 Feb 11 21:31 ksu -> su-l
dc2:/etc/pam.d # cat su-l
#%PAM-1.0
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session include common-session
session optional pam_xauth.so

**
Know everything works**account1@dc2:~> export KRB5CCNAME=FILE:/run/user/1000/krb5cc/tktRIM8Eb
account1@dc2:~> ksu
Authenticated account/root@UNIX1.FOREST1.POC.NET
Account root: authorization for account1/root@UNIX1.FOREST1.POC.NET successful
Changing uid to root (0)
dc2:/home/account1 #

The PAM modules was installed using the above how-to and
pam-config --add --krb5
This pam-config did not install this file or link.

Conclusion - Distro problem with krb5>:)

Further workaround edit your shell profile add the following

Sample .bashrc for SuSE Linux

Copyright (c) SuSE GmbH Nuernberg

There are 3 different types of shells in bash: the login shell, normal shell

and interactive shell. Login shells read ~/.profile and interactive shells

read ~/.bashrc; in our setup, /etc/profile sources ~/.bashrc - thus all

test -s ~/.alias && . ~/.alias || true
CC=klist | grep Ticket | awk -F: '{print $4}'
export KRB5CCNAME=FILE:$CC