Bug 1144059

Summary: Please add "pam_keyinit.so" to the /etc/pam.d/samba configuration file
Product: [openSUSE] openSUSE Tumbleweed Reporter: Josef Möllers <josef.moellers>
Component: SambaAssignee: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Status: RESOLVED FIXED QA Contact: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Severity: Normal    
Priority: P5 - None CC: josef.moellers, nopower, scabrero
Version: Current   
Target Milestone: Current   
Hardware: All   
OS: openSUSE Factory   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Josef Möllers 2019-08-02 15:14:05 UTC
In the near future, the use of kernel keyrings will be enabled by systemd.
To fully support this feature, the samba package must include the pam_keyinit.so
module in its /etc/pam.d/samba configuration file.
Please add this module to the /etc/pam.d/samba configuration file with the
appropriate parameters:
session optional pam_keyinit.so revoke [force]
Thanks.
Comment 1 Samuel Cabrero 2019-08-05 15:01:24 UTC
Background --> https://bugzilla.suse.com/show_bug.cgi?id=1081947
Comment 2 Noel Power 2019-08-15 07:29:22 UTC
(In reply to Josef Möllers from comment #0)
> In the near future, the use of kernel keyrings will be enabled by systemd.
> To fully support this feature, the samba package must include the
> pam_keyinit.so
> module in its /etc/pam.d/samba configuration file.
> Please add this module to the /etc/pam.d/samba configuration file with the
> appropriate parameters:
> session optional pam_keyinit.so revoke [force]
> Thanks.

@josef Does this affect SLE-15-sp0 ? I guess I mean will the use of kernel keyrings be enabled in sle-15-sp0 and will we need to backport this change there
Comment 3 Josef Möllers 2019-08-15 07:42:37 UTC
(In reply to Noel Power from comment #2)

> @josef Does this affect SLE-15-sp0 ? I guess I mean will the use of kernel
> keyrings be enabled in sle-15-sp0 and will we need to backport this change
> there

No, I made a mistake when creating the bug against SLE-15.
Please submit against openSUSE Tumbleweed. Apparently I can't change the Product accordingly.

Thanks and sorry for the inconvenience!
Comment 4 Josef Möllers 2019-08-15 07:50:47 UTC
Changed codestream to TW where it belongs.
Comment 6 Swamp Workflow Management 2019-09-16 22:10:45 UTC
openSUSE-SU-2019:2142-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1141267,1144059
CVE References: CVE-2019-10197
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.187.71edee57d5a-lp151.2.6.1
Comment 7 Samuel Cabrero 2019-11-25 11:56:36 UTC
Released.