LDAP/PAM (?) problem
Pavel Lisy
pali na tmapy.cz
Pondělí Duben 14 08:44:24 CEST 2003
On So, 2003-04-12 at 19:28, Pavel Kankovsky wrote:
> On 8 Apr 2003, Pavel Lisy wrote:
>
> > smbldap-tools definuji uzivatele a ucty pocitacu v rozdilnych vetvich
> > LDAP, proto to neni standardne (dle migration tools)
> > ou=People,dc=firma,dc=cz
> > ale v
> > ou=Users,dc=firma,dc=cz
> > ou=Computers,dc=firma,dc=cz
>
> To neni vynalez smbldap-tools, ale Microsoftu, protoze takhle to de Active
> Directory.
>
> > Pokud zavedu uzivatele pomoci "smbldap-useradd.pl"
> > mohu se do systemu nalogovat, prihlasit pres ssh, ale nedari se mi
> > zmenit uzivatele pres "su"
>
> Nalogovat na jakeho uzivatele? Na toho pridaneho (tmapy)?
Podivne je hlavne ze se tam prihlasim pres login
tj. v textove konzole
pres gdm taky
pres "ssh -l tmapy localhost" taky
ale nefunguje to pomoci "su - tmapy"
pokud neni uzivatel tmapy, krome ldapu i v /etc/passwd.
Kdyz je zaveden v /etc/passwd (a treba ani nema heslo v /etc/shadow),
tak se prihlasit lze.
> > Pidil jsem se po tom, kde je problem a zjistil jsem, ze se linuxu nejak
> > nedari urcit uzivatele, pokud neni zaroven s LDAPem zaveden v
> > /etc/passwd: (na konci druheho radku chybi user=tmapy)
> >
> > po prikazu
> > $ su - tmapy
> > Password:
> > su: incorrect password
> > $
> >
> > a v logu je:
> > Apr 8 12:04:17 marek su(pam_unix)[3008]: check pass; user unknown
> > Apr 8 12:04:17 marek su(pam_unix)[3008]: authentication failure;
> > logname=root uid=1000 euid=0 tty= ruser=tmapy rhost=
>
> Mate neco jako nss_ldap, aby byli uzivatele v LDAP videt z funkci
> getpwnam() et al? Pokud ne, tak to pam_unix zjevne nerozchodi.
Ja doufam, ze to mam. Bohuzel se v problematice jeste presne
neorientuji, ale prikladam nastaveni, o kterych si myslim, ze s tim maji
neco spolecneho:
Obsah souboru v /etc/pam.d/
[root na localhost]# cat system-auth
----
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so \
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 \
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok \
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
----
[root na localhost]# cat su
----
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
# group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
# group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so \
service=system-auth
account required /lib/security/$ISA/pam_stack.so \
service=system-auth
password required /lib/security/$ISA/pam_stack.so \
service=system-auth
session required /lib/security/$ISA/pam_stack.so \
service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
----
vypis bez komentaru:
===============================
[root na localhost]# grep -v '^#\|^[ ]*$' /etc/ldap.conf
host 127.0.0.1
base dc=tmapy,dc=cz
nss_base_passwd dc=tmapy,dc=cz?sub
nss_base_shadow dc=tmapy,dc=cz?sub
nss_base_group ou=Groups,dc=tmapy,dc=cz?one
ssl no
pam_password md5
===============================
[root na localhost]# grep -v '^#\|^[ ]*$' /etc/openldap/ldap.conf
HOST 127.0.0.1
BASE dc=tmapy,dc=cz
> Mate neco jako nss_ldap, aby byli uzivatele v LDAP videt z funkci
> getpwnam() et al? Pokud ne, tak to pam_unix zjevne nerozchodi.
Jak mohu zjistit co dana funkce vraci, bez programovani v C? Moc bych to
chtel nejak zjistit, ale nevim, jak to problem rozlozit na prvocinitele
a zjistit puvodce problemu.
Pavel
--
Pavel Lisy <pali na tmapy.cz>
T-MAPY spol. s r.o.
Další informace o konferenci Linux