LISTSERV - SCIENTIFIC-LINUX-USERS Archives

SCIENTIFIC-LINUX-USERS Archives

March 2006

SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV

	LISTSERV Archives
	SCIENTIFIC-LINUX-USERS Home
	SCIENTIFIC-LINUX-USERS March 2006

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: updated vixie-cron on SL3
From:	"C. Ray Ng" <[log in to unmask]>
Reply To:	C. Ray Ng
Date:	Tue, 28 Mar 2006 10:39:34 -0500
Content-Type:	text/plain
Parts/Attachments:	text/plain (63 lines)

C. Ray Ng wrote:

> I was puzzled by the same pam_krb5_afs.so line in SL4 which doesn't 
> seem to hurt,
> but now under a more careful look, it was preceded with 
> "pam_succeed_if.so, like:
>
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 
> 100 quiet
> account     [default=bad success=ok user_unknown=ignore] 
> /lib/security/$ISA/pam_krb5afs.so

We also made some comparison between Redhat Enterprise 3 and Scientific 
linux 3,
after knowing that is something related to enabling kerberos or AFS.

Comparing two typical EL3 and SL3, we found:

[rhel3]# rpm -qf /etc/redhat-release; rpm -q authconfig pam pam_krb5
vixie-cron
redhat-release-3WS-13.7.3
authconfig-4.3.7-3
pam-0.75-67
pam_krb5-1.77-1
vixie-cron-4.1-10.EL3

[sl304]# rpm -qf /etc/redhat-release; rpm -q authconfig pam pam_krb5
vixie-cron
sl-release-3.0.4-7.4
authconfig-4.3.7-1
pam-0.75-62
pam_krb5-1.73-1
vixie-cron-4.1-10.EL3

Ignoring the build version, it seems that pam_krb5 in SL3 is the only
package that is behind EL3. So we search for an updated version of pam_krb5
and found one in ftp://linux.fnal.gov/
linux/scientific/305/i386/errata/bugfix/RPMS/pam_krb5-1.77-1.i386.rpm

Most of our machines are running SL304 instead of 305, but the rpm was installed
and run fine. This is, IMHO, a better solution than using a site specific 
authconfig and removal of the krb5 line in /etc/pam.d/system-auth.

The bugfix section in SL305 is not enable by default in the yum.conf, so 
one would have to enabled sl305bugfix in /etc/yum.conf, plus of course, 
picking up all other bugfix rpms along the way. And older version of SL
will have to do it by hand, i.e. outside the control of yum.

The vixie-cron release is considered security update, and it is now
also "pam-aware", making it depend on pam, pam_krb5 etc, shouldn't
it make sense to promote pam_krb5 as security update instead of bugfix?

Maintaining the on-going updates on various version and trying to make
running systems as stable as possible is really difficult, and we
can't say enough to thank people at Fermi Lab for all their hard work,
greatly appreciated.

Ray
---
C. Ray Ng                      email: crn1 at cornell dot edu
Cornell University             phone: 607-255-4882

ATOM RSS1 RSS2

LISTSERV.FNAL.GOV