LDAP/PAM (?) problem

Pavel Lisy pali na tmapy.cz
Úterý Duben 8 13:11:36 CEST 2003 

Dobry den dobri lide,

(i vsem ostatnim ;-)

Pokousim se rozbehat ucty v LDAP server, ktere by slo vyuzit jednotnou
spravu uzivatelu, jak pro UNIXove, tak pro WINdows stroje.

Proto jsem zacal rozbihat reseni s pomoci smbldap-tools (vice viz
idealx.com), ktere je v nejnovejsich distribucich samby jiz zahrnuto
(alespon v RPM).

Narazil jsem, ale na problem, se kterym si nevim rady a ani v konferenci
na toto zamerene se mi jeste nikdo neozval.

smbldap-tools definuji uzivatele a ucty pocitacu v rozdilnych vetvich
LDAP, proto to neni standardne (dle migration tools) 
ou=People,dc=firma,dc=cz
ale v 
ou=Users,dc=firma,dc=cz
ou=Computers,dc=firma,dc=cz

Nyni zmineny problem:

Pokud zavedu uzivatele pomoci "smbldap-useradd.pl"
mohu se do systemu nalogovat, prihlasit pres ssh, ale nedari se mi
zmenit uzivatele pres "su"

Pidil jsem se po tom, kde je problem a zjistil jsem, ze se linuxu nejak
nedari urcit uzivatele, pokud neni zaroven s LDAPem zaveden v
/etc/passwd: (na konci druheho radku chybi user=tmapy)

po prikazu
$ su - tmapy
Password: 
su: incorrect password
$ 

a v logu je:
Apr  8 12:04:17 marek su(pam_unix)[3008]: check pass; user unknown
Apr  8 12:04:17 marek su(pam_unix)[3008]: authentication failure; 
     logname=root uid=1000 euid=0 tty= ruser=tmapy rhost= 


Nevite nekdo cim by to mohlo byt? Neni mi jasne, kde vlastne hledat
problem?

Prikladam nastaveni PAM:

cat /etc/pam.d/su
---
#%PAM-1.0
auth       sufficient   /lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
group.
#auth       sufficient   /lib/security/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
group.
#auth       required     /lib/security/pam_wheel.so use_uid
auth       required  /lib/security/pam_stack.so service=system-auth
account    required  /lib/security/pam_stack.so service=system-auth
password   required  /lib/security/pam_stack.so service=system-auth
session    required  /lib/security/pam_stack.so service=system-auth
session    optional  /lib/security/pam_xauth.so
---

cat /etc/pam.d/system-auth
---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore  
   service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
   md5 shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

---



Pavel


-- 
Pavel Lisy <pali na tmapy.cz>
T-MAPY spol. s r.o.

Další informace o konferenci Linux