pam-krb5 3.9 released

[Russ Allbery]

"Markus Moeller" <huaraz at moeller.plus.com> writes:

> I have a problem with pam_sm_setcred when authenticating non local users. I 
> have in my pam file the following
>
> application auth required pam-krb5-3.9 no_ccache
> application account required pam-krb5-3.9 no_ccache
> application session required pam_dummy
>
> to authenticate users of an application with Kerberos. Unfortunatly the
> application uses also a pam_setcred and pam_sm_open/close_session calls
> and pam_sm_setcred fails because in pam_sm_setcred the pamret =
> pamk5_context_fetch(args) call fails and sets the return code to 24
> (Module specific data not found). You nicely jump over getpwnam when
> no_ccache is selected but I think in the case of no_ccache a failure of
> pamk5_context_fetch shouldn't be fatal.
>
> Can this be changed in the next release ?

Yeah, I think this was actually an accident caused by other changes.  I
used to initialize the PAM return value to success.  I think this patch
will do what you want and is correct.  It'll be in the next release.

=== modified file 'api-auth.c'
--- api-auth.c  2007-09-30 08:33:55 +0000
+++ api-auth.c  2007-12-03 19:29:09 +0000
@@ -476,8 +476,10 @@
     }
 
     /* If configured not to create a cache, we have nothing to do. */
-    if (args->no_ccache)
+    if (args->no_ccache) {
+        pamret = PAM_SUCCESS;
         goto done;
+    }
 
     /*
      * Reinitialization requested, which means that rather than creating a new

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>