Debian Bug report logs - #656352
pu: package libpam-krb5/4.3-1squeeze1

Package: release.debian.org; Maintainer for release.debian.org is Debian Release Team <debian-release@lists.debian.org>;

Reported by: Russ Allbery <rra@debian.org>

Date: Wed, 18 Jan 2012 18:09:54 UTC

Severity: normal

Done: Philipp Kern <pkern@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#656352; Package release.debian.org. (Wed, 18 Jan 2012 18:09:58 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Wed, 18 Jan 2012 18:09:59 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: pu: package libpam-krb5/4.3-1squeeze1
Date: Wed, 18 Jan 2012 09:54:19 -0800
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: pu

Filing this in advance of actually doing the update work....

libpam-krb5 4.4-3 in unstable added the following change (from
NEWS.Debian):

  The default PAM configuration for the password stack changed in this
  version to skip all other modules if the Kerberos password change
  succeeded.  This works better and with fewer strange errors for the
  common case of Kerberos accounts not having a local password.

  If you want to instead synchronize your local and Kerberos passwords,
  you will need to not manage the module with pam-auth-update and instead
  manually configure the password stack to run both pam_krb5 and pam_unix.
  See /usr/share/doc/libpam-krb5/README.Debian.gz for more details.

Without this change, users of the module where accounts are only in
Kerberos and some external user source like LDAP and don't occur in
/etc/shadow were unable to use it to change Kerberos passwords, because
pam_unix would reject the password change due to the missing /etc/shadow
entry.  The change is basically a single line in the pam-configs
configuration:

--- a/debian/pam-auth-update
+++ b/debian/pam-auth-update
@@ -12,9 +12,9 @@ Account:
        required                        pam_krb5.so minimum_uid=1000
 Password-Type: Primary
 Password:
-       requisite                       pam_krb5.so minimum_uid=1000 try_first_pass use_authtok
+       [success=end default=ignore]    pam_krb5.so minimum_uid=1000 try_first_pass use_authtok
 Password-Initial:
-       requisite                       pam_krb5.so minimum_uid=1000
+       [success=end default=ignore]    pam_krb5.so minimum_uid=1000
 Session-Type: Additional
 Session:
        optional                        pam_krb5.so minimum_uid=1000

However, it's not backward-compatible.  If one was relying on the previous
behavior, this change will require switching away from the defaults.

Petter Reinholdtsen from DebianEdu requested this change make it into
stable as well, since it's causing problems for them (they set up accounts
in Kerberos and LDAP only by default).

What do the stable release managers think?  Is this something that would
be reasonable to do in stable?  I think it does improve the package for
the majority use case, but it's a larger change in configuration than I
would normally propose for a stable update.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (990, 'testing'), (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)

Kernel: Linux 3.1.0-1-686-pae (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash




Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#656352; Package release.debian.org. (Thu, 19 Jan 2012 00:09:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Cyril Brulebois <kibi@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 19 Jan 2012 00:09:03 GMT) Full text and rfc822 format available.

Message #10 received at 656352@bugs.debian.org (full text, mbox):

From: Cyril Brulebois <kibi@debian.org>
To: Russ Allbery <rra@debian.org>, 656352@bugs.debian.org
Subject: Re: Bug#656352: pu: package libpam-krb5/4.3-1squeeze1
Date: Thu, 19 Jan 2012 01:07:18 +0100
[Message part 1 (text/plain, inline)]
Hi,

(with random joe user/developer hat on)

Russ Allbery <rra@debian.org> (18/01/2012):
> However, it's not backward-compatible.  If one was relying on the previous
> behavior, this change will require switching away from the defaults.

ouch. Doesn't seem like too good an idea for a stable upload.

> Petter Reinholdtsen from DebianEdu requested this change make it into
> stable as well, since it's causing problems for them (they set up accounts
> in Kerberos and LDAP only by default).

If they're directly affected by this, maybe it can be worked around on
their side?

> What do the stable release managers think?  Is this something that would
> be reasonable to do in stable?  I think it does improve the package for
> the majority use case, but it's a larger change in configuration than I
> would normally propose for a stable update.

If the majority use case improvement is worth it, maybe try and get on a
middleground route: warn/ask through some debconf prompt about the
behaviour change if it's an update, and go the preferred route (from
your POV) if that's an installation? (Or prompt in all cases, maybe?)

Mraw,
KiBi.
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Release Team <debian-release@lists.debian.org>:
Bug#656352; Package release.debian.org. (Thu, 19 Jan 2012 00:57:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Russ Allbery <rra@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Release Team <debian-release@lists.debian.org>. (Thu, 19 Jan 2012 00:57:06 GMT) Full text and rfc822 format available.

Message #15 received at 656352@bugs.debian.org (full text, mbox):

From: Russ Allbery <rra@debian.org>
To: Cyril Brulebois <kibi@debian.org>
Cc: 656352@bugs.debian.org
Subject: Re: Bug#656352: pu: package libpam-krb5/4.3-1squeeze1
Date: Wed, 18 Jan 2012 16:54:59 -0800
Cyril Brulebois <kibi@debian.org> writes:
> Russ Allbery <rra@debian.org> (18/01/2012):

>> Petter Reinholdtsen from DebianEdu requested this change make it into
>> stable as well, since it's causing problems for them (they set up accounts
>> in Kerberos and LDAP only by default).

> If they're directly affected by this, maybe it can be worked around on
> their side?

They are currently diverting and replacing the configuration file.

>> What do the stable release managers think?  Is this something that
>> would be reasonable to do in stable?  I think it does improve the
>> package for the majority use case, but it's a larger change in
>> configuration than I would normally propose for a stable update.

> If the majority use case improvement is worth it, maybe try and get on a
> middleground route: warn/ask through some debconf prompt about the
> behaviour change if it's an update, and go the preferred route (from
> your POV) if that's an installation? (Or prompt in all cases, maybe?)

The problem there is that the relevant file is in /usr/share/pam-configs
and is therefore not a configuration file.  I suppose I could try to do
something complex to have it be a symlink to something in /etc, but the
intent of the pam-config-update mechanism was to not do things like that.
But it does make it really hard to only optionally change the default
configuration.

I'd say that the current package behavior is probably right for 10% of the
users and wrong for 90% of the users (although most people probably don't
change their Kerberos password a lot via PAM and hence haven't noticed).
The new default would be right for 90% and wrong for 10%.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>




Reply sent to Philipp Kern <pkern@debian.org>:
You have taken responsibility. (Thu, 19 Jan 2012 10:18:53 GMT) Full text and rfc822 format available.

Notification sent to Russ Allbery <rra@debian.org>:
Bug acknowledged by developer. (Thu, 19 Jan 2012 10:18:58 GMT) Full text and rfc822 format available.

Message #20 received at 656352-done@bugs.debian.org (full text, mbox):

From: Philipp Kern <pkern@debian.org>
To: Russ Allbery <rra@debian.org>, 656352-done@bugs.debian.org
Subject: Re: Bug#656352: pu: package libpam-krb5/4.3-1squeeze1
Date: Thu, 19 Jan 2012 11:17:16 +0100
[Message part 1 (text/plain, inline)]
Hi Russ,

On Wed, Jan 18, 2012 at 09:54:19AM -0800, Russ Allbery wrote:
> However, it's not backward-compatible.  If one was relying on the previous
> behavior, this change will require switching away from the defaults.

I acknowledge that the behaviour is pretty much annoying.  However I think that
stable is not the place to make such a change.  It's unfortunate that it went
into stable unnoticed, but while fixing bugs is appreciated, behaviour changes
are very much frowned upon, especially in authentication modules.

A Debconf note upon upgrade wouldn't help for automated installs that want
mostly reproducible behaviour (apart from security updates) for stable installs
and it would also need to have a very high priority to be shown everywhere upon
upgrade.  I wouldn't like to introduce that in stable.

Kind regards, thanks for contacting us and sorry,
Philipp Kern
-- 
 .''`.  Philipp Kern                        Debian Developer
: :' :  http://philkern.de                         Stable Release Manager
`. `'   xmpp:phil@0x539.de                         Wanna-Build Admin
  `-    finger pkern/key@db.debian.org
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 17 Feb 2012 07:38:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 03:29:54 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.