• State Verified Answer
  • Replies 5 replies
  • Subscribers 24 subscribers
  • Views 961 views
  • Users 0 members are here
Options
Related

pam_vas3.so store_creds in 5.1 still supposed to work?

petra.zeidler
6 months ago

Hi,

I have a service where reconnects auth but don't setcred; in combination with NFSv4/krb5 a refresh of the ticket cache on auth would be just what's needed, and according to the pam_vas manpage giving the auth pam_vas3.so an argument of store_creds in that services PAM config should do that.

However the ticket cache does not get updated; strace doesn't see an attempt to even look at the file, either. Switching on debug and trace work, so so it's the right pam config for the service in principle (the debug output wasn't enlightening).

Has store_creds been deprecated and I found a documentation issue?

kind regards,

Petra Zeidler

  • +1 6 months ago

    Hi Petra,

    Jason Bauer here from One Identity Support.

    Please try the "bad_pam_app_workaround" pam configuration setting. The following KB articles have some details.

    support.oneidentity.com/.../
    support.oneidentity.com/.../

    Thank you
    Jason Bauer

  • 0 6 months ago in reply to Jason.Bauer

    Hi Jason,

    thanks, that does it. Is that store_creds in a new coat? Slight smile

    kind regards,

    Petra Zeidler

  • 0 6 months ago in reply to petra.zeidler

    Hi Petra,

    I don't think the setting is a new coat for store_creds.

    I believe Safeguard Authentication services moved from storing the creds during pam auth to pam session.

    The setting allows for the storing of creds during pam auth which is what your service requires.

    Thank you
    Jason Bauer

  • 0 6 months ago in reply to Jason.Bauer

    Hi Jason,

    The setting is what I needed, correct. However, regarding the documentation:

    the manpage for pam_vas in 5.1 says:

           store_creds
              When this option is set, pam_vas will store the user's kerberos
              tickets in their ticket cache during the pam_authenticate() call
              instead of waiting for the pam_setcred() call. The store_creds
              option defaults to OFF.

           delay_ccache_creation
              This option has been deprecated. The default behavior of the pam
              module now ensures that krb5 ticket creation is delayed until the
              pam_setcred() call.

           no_store_creds
              This option has been deprecated. The default behavior of the pam
              module now ensures that krb5 tickets are not stored during the
              pam_authenticate() call.

    The man page does not document a flag "bad_pam_app_workaround". It appears to me that "bad_pam_app_workaround" does what "store_creds" is documented to do, and that the man page could be amended.

    kind regards,

    Petra Zeidler

  • 0 6 months ago in reply to petra.zeidler

    Hi Petra,

    Thank you. I am in agreement.

    I have started discussions with the Authentication Services product team and will work on getting this updated.

    If you would like to track this please open a support case through our portal here:

    support.oneidentity.com/create-service-request

    With that, I will be able to provide you with a tracking number.

    Thank you
    Jason Bauer