[Bug 454012] Re: pam-configs prevents root login with pam_unix
Brian J. Murrell
brian at interlinx.bc.ca
Sun Oct 18 15:30:21 UTC 2009
On Sat, 2009-10-17 at 22:49 +0000, Steve Langasek wrote:
> Well, bug #411249 was closed as invalid.
I know.
> I don't think this is a valid bug, either; pam_krb5 returns 'PAM_IGNORE'
> for non-Kerberos logins, as shown in your debug log, which *is*
> considered "success" /as long as/ at least one other PAM module returns
> success.
OK.
> I'm quite confident that this is the case, because this is the standard
> use of pam_krb5 on Debian/Ubuntu, and I've been using it for years - and
> my root account works fine.
And you don't have a root account in kerberos? Or maybe the
minimum_uid=1000 makes that moot?
> So there must be some other 'account' module in your configuration for
> su which is returning this failure. Can you post a copy of
> /etc/pam.d/su and /etc/pam.d/common-account?
Sure.
su:
auth sufficient pam_rootok.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_mail.so nopen
@include common-auth
@include common-account
@include common-session
common-account:
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so debug audit
account [success=1 default=ignore] pam_ldap.so
account required pam_permit.so
account required pam_krb5.so debug minimum_uid=1000
As above, su fails and auth.log reports:
Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: pam_sm_acct_mgmt: entry (0x0)
Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: skipping non-Kerberos login
Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: pam_sm_acct_mgmt: exit (ignore)
Oct 18 11:03:19 laptop su[31699]: pam_acct_mgmt: Permission denied
Oct 18 11:03:19 laptop su[31699]: FAILED su for root by brian
Oct 18 11:03:19 laptop su[31699]: - pts/2 brian:root
If I simply change the pam_krb5 line in common-account to:
account required pam_permit.so
su works and auth.log reports:
Oct 18 11:07:11 jenny-laptop su[31719]: Successful su for root by brian
Oct 18 11:07:11 jenny-laptop su[31719]: + pts/2 brian:root
Oct 18 11:07:11 jenny-laptop su[31719]: pam_unix(su:session): session opened for user root by brian(uid=1001)
So to me that means that the pam_unix.so or pam_ldap.so have to be
"success"ful causing a jump over the (first) pam_permit, otherwise this
would all just work and I would not be filing this bug.
That simply changing the pam_krb5 to pam_permit says to me that pam_krb5
must be failing the account processing.
That said, I am by far no pam expert, so I am completely welcome to
being told why I'm wrong.
Further, unfortunately neither the "debug" or "audit" on the pam_unix.so
line seem to be producing any debug or audit entries in the auth.log, so
that's not helping. :-(
--
pam-configs prevents root login with pam_unix
https://bugs.launchpad.net/bugs/454012
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
More information about the universe-bugs
mailing list