[Bug 456985] [NEW] account configuration not working

[Launchpad Bug Tracker]

You have been subscribed to a public bug:

I seem to be getting refused ssh access for regular users (root works
fine) when I have both unix and krb5 PAM modules configured but no user
accounts in /etc/{passwd,shadow} (i.e. because they are provided by the
password map in NSS_LDAP and authenticated by Kerberos)

sshd in debug mode reports:

Access denied for user brian by PAM account configuration

and when I look at common-account, the error seems to make sense:

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
# here's the fallback if no module succeeds
account requisite                       pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required                        pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required                        pam_krb5.so minimum_uid=1000
# end of pam-auth-update config         

There is no shadow information for this user for pam_unix to verify, so
pam_unix returns some kind of non-success, which means not jumping over
pam_deny.  I figured out that the following fixes the problem:

account [authinfo_unavail=1 success=1 new_authtok_reqd=done
default=ignore]     pam_unix.so

which basically tells pam_unix.so that if the shadow entry is not there,
don't worry about trying to verify it's values -- which is apparently
it's "account" behavior.

** Affects: libnss-ldap (Ubuntu)
     Importance: Undecided
         Status: New

-- 
account configuration not working
https://bugs.launchpad.net/bugs/456985
You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu.