From owner-freebsd-bugs@FreeBSD.ORG  Fri Feb 11 15:00:23 2011
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3FF561065672
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 11 Feb 2011 15:00:23 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
	[IPv6:2001:4f8:fff6::28])
	by mx1.freebsd.org (Postfix) with ESMTP id 01CD48FC19
	for <freebsd-bugs@hub.freebsd.org>;
	Fri, 11 Feb 2011 15:00:23 +0000 (UTC)
Received: from freefall.freebsd.org (localhost [127.0.0.1])
	by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p1BF0M1I061591
	for <freebsd-bugs@freefall.freebsd.org>; Fri, 11 Feb 2011 15:00:22 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p1BF0Mmm061571;
	Fri, 11 Feb 2011 15:00:22 GMT (envelope-from gnats)
Resent-Date: Fri, 11 Feb 2011 15:00:22 GMT
Resent-Message-Id: <201102111500.p1BF0Mmm061571@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Martin Schweizer  <office@pc-service.ch>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 7EB7710656AA
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 11 Feb 2011 14:56:26 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 6D9698FC32
	for <freebsd-gnats-submit@FreeBSD.org>;
	Fri, 11 Feb 2011 14:56:26 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id p1BEuPXi027795
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 11 Feb 2011 14:56:25 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id p1BEuP2Z027794;
	Fri, 11 Feb 2011 14:56:25 GMT (envelope-from nobody)
Message-Id: <201102111456.p1BEuP2Z027794@red.freebsd.org>
Date: Fri, 11 Feb 2011 14:56:25 GMT
From: Martin Schweizer  <office@pc-service.ch>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-3.1
Cc: 
Subject: kern/154683: Allow pam_krb5 to authenticate no local users for
	other services
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Feb 2011 15:00:23 -0000


>Number:         154683
>Category:       kern
>Synopsis:       Allow pam_krb5 to authenticate no local users for other services
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Feb 11 15:00:22 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Martin Schweizer
>Release:        FreeBSD 8.1
>Organization:
PC-Service M. Schweizer GmbH
>Environment:
FreeBSD acsvfbsd04.acutronic.ch 8.1-RELEASE FreeBSD 8.1-RELEASE #2: Wed Oct 13 2 
23:46:17 CEST 2010     martin@acsvfbsd04.acutronic.ch:/usr/obj/usr/src/sys/GENERIC
>Description:
See also kern/76678

See the history of pam_krb5.c
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libpam/modules/pam_krb5/pam_krb5.c

Since I upgraded from 7.2 to 8.1 it is no more possible to use saslauthd -a pam against a Kerberos system (like Active Directory). I assume since the update was made regarding no_user_check. Before this changes all was working without any problems. 
/var/log/auth shows:
Feb 11 15:27:40 acsvfbsd04 saslauthd[2742]: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): Key table entry not found
Feb 11 15:27:40 acsvfbsd04 saslauthd[2742]: DEBUG: auth_pam: pam_acct_mgmt failed: unknown user
Feb 11 15:27:40 acsvfbsd04 saslauthd[2742]: do_auth         : auth failure: [user=username] [service=imap] [realm=] [mech=pam] [reason=PAM acct error]

The entry "unknown user" point me to the idea that PAM checks against the local user base again. After I add the user username to the local user base (adduser username), the authentication works as expected.

Since Kerberos5 in the base system is broken (see http://www.freebsd.org/cgi/query-pr.cgi?pr=151444) there is no more option to authenticate against Active Directory.

>How-To-Repeat:
I used imtest from ports/cyrus-imapd24:
imtest -u username localhost
>Fix:


>Release-Note:
>Audit-Trail:
>Unformatted: