Issue with PAM authentication in 1.12.13 "PAM reestablish credentials error"

[Robert Auch]

Summary: RHEL5 1.11.22 works, Solaris x86 10u2 1.12.13 does not.  Error is:
-bash-3.00$ /apps/cvs/bin/cvs ls
PAM reestablish credentials error: Failure setting user credentials

"cvs login" does work on both systems.

I'm new to CVS as of last week, so if I'm not providing some piece of
information, or missed something simple, please let me know.

Question: how do I even get server-side logging to troubleshoot? Has someone
seen this and know a fix?

Long version:

I have 2 computers: a Solaris 10, update 2 x86 system running cvs 1.12.13
compiled from source as:
./configure -prefix=/apps/cvs --with-gssapi --enable-pam
make
make install

The 2nd is a Red Hat Enterprise Linux 5.3 system with cvs 1.11.22 installed
directly from Red Hat via yum.

Both were set up as:
mkdir -p /apps/repo1
cvs -d /apps/repo1 init
sed -i.bak -e 's/^#\sSystemAuth.*$/SystemAuth=yes/'
/apps/repo1/CVSROOT/config

When I log in as a regular OS user to either system, and run:
CVSROOT=:pserver:address@hidden:/apps/repo1
export CVSROOT
cvs login

I am prompted for my password, and am able to be successfully logged in.  a
.cvspass file is created in my (local to the cvs server) home directory.

However, on the Solaris system, when I run:
cvs ls (or history, or any other command, for that matter), I receive the
following error.
-bash-3.00$ /apps/cvs/bin/cvs ls
PAM reestablish credentials error: Failure setting user credentials

The same command on the Red Hat system works.  I believe the error is in the
PAM/ CVS interaction, but I'm not sure how to set up server-side tracing and
logging (I know cvs -t on the client is available, but shows no useful
information for this issue).

-bash-3.00$ /apps/cvs/bin/cvs login
Logging in to :pserver:address@hidden:2401/apps/repo1
CVS password:
-bash-3.00$ /apps/cvs/bin/cvs ls
PAM reestablish credentials error: Failure setting user credentials
cvs [ls aborted]: end of file from server (consult above messages if any)
-bash-3.00$ echo $CVSROOT
:pserver:address@hidden:2401/apps/repo1
bash-3.00# ls -l /apps/repo1
total 2
drwxrwxr-x   3 cvs      cvs         1024 Apr 15 20:03 CVSROOT
bash-3.00# getent group cvs
cvs::100:cvs,rob,rauch

http://www.google.com/search?q=%22pam+reestablish+credentials%22&hl=en&safe=
off  (7 results, all in server.c)

So I figure it's some kind of PAM error, and therefore started editing the
"session" section of pam.conf, turning "required" to "sufficient" (so that
it couldn't fail out on a module), and even disabling the "session" section
entirely, all giving me the same error.  When I take out all the "lsass"
settings (provided by Likewise Open - www.likewiseopen.org), and log in as a
local user, I get:
-bash-3.00$ /apps/cvs/bin/cvs -d :pserver:address@hidden:/apps/repo1 ls
PAM reestablish credentials error: No account present for user

Again, the "login" command works, and the ".cvspass" file is created for the
user in their $HOME.

I can work out the PAM configuration, but can't figure out how CVS is
integrated with PAM to know what to change to make this work.

Thanks,

--
Robert Auch
Project Manager - Deployments | Likewise Software, Inc.
mailto  rauch a likewise dot com O: 708-613-5220

smime.p7s
Description: S/MIME cryptographic signature