LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: updated vixie-cron on SL3
From:	Connie Sieh <[log in to unmask]>
Reply To:	Connie Sieh <[log in to unmask]>
Date:	Tue, 28 Mar 2006 09:56:35 -0600
Content-Type:	TEXT/PLAIN
Parts/Attachments:	TEXT/PLAIN (76 lines)

On Tue, 28 Mar 2006, C. Ray Ng wrote:

> C. Ray Ng wrote:
> 
> > I was puzzled by the same pam_krb5_afs.so line in SL4 which doesn't 
> > seem to hurt,
> > but now under a more careful look, it was preceded with 
> > "pam_succeed_if.so, like:
> >
> > account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 
> > 100 quiet
> > account     [default=bad success=ok user_unknown=ignore] 
> > /lib/security/$ISA/pam_krb5afs.so
> 
> We also made some comparison between Redhat Enterprise 3 and Scientific 
> linux 3,
> after knowing that is something related to enabling kerberos or AFS.
> 
> Comparing two typical EL3 and SL3, we found:
> 
> [rhel3]# rpm -qf /etc/redhat-release; rpm -q authconfig pam pam_krb5
> vixie-cron
> redhat-release-3WS-13.7.3
> authconfig-4.3.7-3
> pam-0.75-67
> pam_krb5-1.77-1
> vixie-cron-4.1-10.EL3
> 
> [sl304]# rpm -qf /etc/redhat-release; rpm -q authconfig pam pam_krb5
> vixie-cron
> sl-release-3.0.4-7.4
> authconfig-4.3.7-1
> pam-0.75-62
> pam_krb5-1.73-1
> vixie-cron-4.1-10.EL3
> 
> Ignoring the build version, it seems that pam_krb5 in SL3 is the only
> package that is behind EL3. So we search for an updated version of pam_krb5
> and found one in ftp://linux.fnal.gov/
> linux/scientific/305/i386/errata/bugfix/RPMS/pam_krb5-1.77-1.i386.rpm
> 
> Most of our machines are running SL304 instead of 305, but the rpm was installed
> and run fine. This is, IMHO, a better solution than using a site specific 
> authconfig and removal of the krb5 line in /etc/pam.d/system-auth.
> 
> The bugfix section in SL305 is not enable by default in the yum.conf, so 
> one would have to enabled sl305bugfix in /etc/yum.conf, plus of course, 
> picking up all other bugfix rpms along the way. And older version of SL
> will have to do it by hand, i.e. outside the control of yum.
> 
> The vixie-cron release is considered security update, and it is now
> also "pam-aware", making it depend on pam, pam_krb5 etc, shouldn't
> it make sense to promote pam_krb5 as security update instead of bugfix?
> 

If it will fix the problem sure.  Problem is that we did not know we 
needed to do that as the new vixie-cron did not have a dependecy on the 
newer pam_krb5.  Clearly it should if this resolves the issue.

> Maintaining the on-going updates on various version and trying to make
> running systems as stable as possible is really difficult, and we
> can't say enough to thank people at Fermi Lab for all their hard work,
> greatly appreciated.

Thanks.

> 
> 
> Ray
> ---
> C. Ray Ng                      email: crn1 at cornell dot edu
> Cornell University             phone: 607-255-4882
> 

-Connie Sieh

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV