From nobody@FreeBSD.org  Thu Sep 28 02:44:37 2006
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3B11316A412
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Sep 2006 02:44:37 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id B6BF443D4C
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Sep 2006 02:44:36 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id k8S2iaVm047711
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Sep 2006 02:44:36 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id k8S2iarS047710;
	Thu, 28 Sep 2006 02:44:36 GMT
	(envelope-from nobody)
Message-Id: <200609280244.k8S2iarS047710@www.freebsd.org>
Date: Thu, 28 Sep 2006 02:44:36 GMT
From: ryan <zi@zi0r.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: When using tac_plus and pam_krb5, one does not always want pam_krb5 to verify that a local account exists.
X-Send-Pr-Version: www-2.3

>Number:         103732
>Category:       bin
>Synopsis:       When using tac_plus and pam_krb5, one does not always want pam_krb5 to verify that a local account exists.
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Thu Sep 28 02:50:18 GMT 2006
>Closed-Date:    Fri Sep 29 07:17:08 GMT 2006
>Last-Modified:  Fri Sep 29 07:17:08 GMT 2006
>Originator:     ryan
>Release:        6.1-RELEASE-p6
>Organization:
>Environment:
FreeBSD XXX.rit.edu 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #2: Mon Sep 18 07:49:55 EDT 2006     zi@XXX.rit.edu:/usr/obj/usr/src/sys/XXX  i386
>Description:
When using tac_plus4 to authenticate against a kdc, one does not always want to have to create a local account in order for authentication to succeed.

By applying the patch below to /usr/src/lib/libpam/modules/pam_krb5/pam_krb5.c, you can then append "no_checkuser" to the end of your krb5 line in your pam config, which will cause the portion of the code that checks for a local account to be skipped.

Changes were only made to pam_sm_authenticate(), however, pam_sm_setcred() also checks to see if a local account exists by attempting to obtain the uid of the account.

I'm uncertain if this is the best way to implement a fix, however, it appears to work fine for what I am doing with tac_plus4.
>How-To-Repeat:
Install the tac_plus4 port and configure your tac_plus user accounts to use pam.

Create a /etc/pam.d/tac_plus file and add in the example pam_krb5 lines from one of the other pam files.

Attempt to authenticate against tac_plus with an account that does not exist on the local machine, however, will successfully authenticate via kinit, or the like.  Authentication will fail as the local account does not exist.
>Fix:
--- pam_krb5.c  Thu Jul  7 10:16:38 2005
+++ /tmp/pam_krb5.c     Wed Sep 27 22:21:26 2006
@@ -90,6 +90,7 @@
 #define PAM_OPT_FORWARDABLE    "forwardable"
 #define PAM_OPT_NO_CCACHE      "no_ccache"
 #define PAM_OPT_REUSE_CCACHE   "reuse_ccache"
+#define PAM_OPT_NO_USERCHECK   "no_usercheck"
 
 /*
  * authentication management
@@ -194,6 +195,9 @@
 
        PAM_LOG("Got password");
 
+       if (openpam_get_option(pamh, PAM_OPT_NO_USERCHECK)) {
+               PAM_LOG("Skipping local user checks");
+               goto no_checkuser;
+       }
+
        /* Verify the local user exists (AFTER getting the password) */
        if (strchr(user, '@')) {
                /* get a local account name for this principal */
@@ -222,6 +226,9 @@
 
        PAM_LOG("Done getpwnam()");
 
+
+no_checkuser:
+
        /* Get a TGT */
        memset(&creds, 0, sizeof(krb5_creds));
        krbret = krb5_get_init_creds_password(pam_context, &creds, princ,
>Release-Note:
>Audit-Trail:

From: Andrew Thompson <thompsa@freebsd.org>
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: bin/103732: When using tac_plus and pam_krb5, one does not always want pam_krb5 to verify that a local account exists.
Date: Thu, 28 Sep 2006 14:59:38 +1200

 Same as kern/76678
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Fri Sep 29 07:16:51 UTC 2006 
State-Changed-Why:  
Duplicate of kern/76678. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=103732 
>Unformatted:
