On Tue, 28 Mar 2006, C. Ray Ng wrote:
> C. Ray Ng wrote:
>
> > I was puzzled by the same pam_krb5_afs.so line in SL4 which doesn't
> > seem to hurt,
> > but now under a more careful look, it was preceded with
> > "pam_succeed_if.so, like:
> >
> > account sufficient /lib/security/$ISA/pam_succeed_if.so uid <
> > 100 quiet
> > account [default=bad success=ok user_unknown=ignore]
> > /lib/security/$ISA/pam_krb5afs.so
>
> We also made some comparison between Redhat Enterprise 3 and Scientific
> linux 3,
> after knowing that is something related to enabling kerberos or AFS.
>
> Comparing two typical EL3 and SL3, we found:
>
> [rhel3]# rpm -qf /etc/redhat-release; rpm -q authconfig pam pam_krb5
> vixie-cron
> redhat-release-3WS-13.7.3
> authconfig-4.3.7-3
> pam-0.75-67
> pam_krb5-1.77-1
> vixie-cron-4.1-10.EL3
>
> [sl304]# rpm -qf /etc/redhat-release; rpm -q authconfig pam pam_krb5
> vixie-cron
> sl-release-3.0.4-7.4
> authconfig-4.3.7-1
> pam-0.75-62
> pam_krb5-1.73-1
> vixie-cron-4.1-10.EL3
>
> Ignoring the build version, it seems that pam_krb5 in SL3 is the only
> package that is behind EL3. So we search for an updated version of pam_krb5
> and found one in ftp://linux.fnal.gov/
> linux/scientific/305/i386/errata/bugfix/RPMS/pam_krb5-1.77-1.i386.rpm
>
> Most of our machines are running SL304 instead of 305, but the rpm was installed
> and run fine. This is, IMHO, a better solution than using a site specific
> authconfig and removal of the krb5 line in /etc/pam.d/system-auth.
>
> The bugfix section in SL305 is not enable by default in the yum.conf, so
> one would have to enabled sl305bugfix in /etc/yum.conf, plus of course,
> picking up all other bugfix rpms along the way. And older version of SL
> will have to do it by hand, i.e. outside the control of yum.
>
> The vixie-cron release is considered security update, and it is now
> also "pam-aware", making it depend on pam, pam_krb5 etc, shouldn't
> it make sense to promote pam_krb5 as security update instead of bugfix?
>
If it will fix the problem sure. Problem is that we did not know we
needed to do that as the new vixie-cron did not have a dependecy on the
newer pam_krb5. Clearly it should if this resolves the issue.
> Maintaining the on-going updates on various version and trying to make
> running systems as stable as possible is really difficult, and we
> can't say enough to thank people at Fermi Lab for all their hard work,
> greatly appreciated.
Thanks.
>
>
> Ray
> ---
> C. Ray Ng email: crn1 at cornell dot edu
> Cornell University phone: 607-255-4882
>
-Connie Sieh
|