[Bug 454012] Re: pam-configs prevents root login with pam_unix

Brian J. Murrell brian at interlinx.bc.ca
Sun Oct 18 15:30:21 UTC 2009 

On Sat, 2009-10-17 at 22:49 +0000, Steve Langasek wrote:
> Well, bug #411249 was closed as invalid.

I know.

> I don't think this is a valid bug, either; pam_krb5 returns 'PAM_IGNORE'
> for non-Kerberos logins, as shown in your debug log, which *is*
> considered "success" /as long as/ at least one other PAM module returns
> success.

OK.

> I'm quite confident that this is the case, because this is the standard
> use of pam_krb5 on Debian/Ubuntu, and I've been using it for years - and
> my root account works fine.

And you don't have a root account in kerberos?  Or maybe the
minimum_uid=1000 makes that moot?

> So there must be some other 'account' module in your configuration for
> su which is returning this failure.  Can you post a copy of
> /etc/pam.d/su and /etc/pam.d/common-account?

Sure.

su:
auth       sufficient pam_rootok.so
session       required   pam_env.so readenv=1
session       required   pam_env.so readenv=1 envfile=/etc/default/locale
session    optional   pam_mail.so nopen
@include common-auth
@include common-account
@include common-session

common-account:
account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so debug audit
account	[success=1 default=ignore]	pam_ldap.so 
account	required			pam_permit.so
account	required			pam_krb5.so debug minimum_uid=1000

As above, su fails and auth.log reports:

Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: pam_sm_acct_mgmt: entry (0x0)
Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: skipping non-Kerberos login
Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: pam_sm_acct_mgmt: exit (ignore)
Oct 18 11:03:19 laptop su[31699]: pam_acct_mgmt: Permission denied
Oct 18 11:03:19 laptop su[31699]: FAILED su for root by brian
Oct 18 11:03:19 laptop su[31699]: - pts/2 brian:root

If I simply change the pam_krb5 line in common-account to:

account required                        pam_permit.so

su works and auth.log reports:

Oct 18 11:07:11 jenny-laptop su[31719]: Successful su for root by brian
Oct 18 11:07:11 jenny-laptop su[31719]: + pts/2 brian:root
Oct 18 11:07:11 jenny-laptop su[31719]: pam_unix(su:session): session opened for user root by brian(uid=1001)

So to me that means that the pam_unix.so or pam_ldap.so have to be
"success"ful causing a jump over the (first) pam_permit, otherwise this
would all just work and I would not be filing this bug.

That simply changing the pam_krb5 to pam_permit says to me that pam_krb5
must be failing the account processing.

That said, I am by far no pam expert, so I am completely welcome to
being told why I'm wrong.

Further, unfortunately neither the "debug" or "audit" on the pam_unix.so
line seem to be producing any debug or audit entries in the auth.log, so
that's not helping.  :-(

-- 
pam-configs prevents root login with pam_unix
https://bugs.launchpad.net/bugs/454012
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

More information about the universe-bugs mailing list