LDAP/PAM (?) problem

Pavel Lisy pali na tmapy.cz
Pondělí Duben 14 08:44:24 CEST 2003 

On So, 2003-04-12 at 19:28, Pavel Kankovsky wrote:
> On 8 Apr 2003, Pavel Lisy wrote:
> 
> > smbldap-tools definuji uzivatele a ucty pocitacu v rozdilnych vetvich
> > LDAP, proto to neni standardne (dle migration tools) 
> > ou=People,dc=firma,dc=cz
> > ale v 
> > ou=Users,dc=firma,dc=cz
> > ou=Computers,dc=firma,dc=cz
> 
> To neni vynalez smbldap-tools, ale Microsoftu, protoze takhle to de Active
> Directory.
> 
> > Pokud zavedu uzivatele pomoci "smbldap-useradd.pl"
> > mohu se do systemu nalogovat, prihlasit pres ssh, ale nedari se mi
> > zmenit uzivatele pres "su"
> 
> Nalogovat na jakeho uzivatele? Na toho pridaneho (tmapy)?
Podivne je hlavne ze se tam prihlasim pres login 
tj. v textove konzole
pres gdm taky
pres "ssh -l tmapy localhost" taky
ale nefunguje to pomoci "su - tmapy"

pokud neni uzivatel tmapy, krome ldapu i v /etc/passwd.

Kdyz je zaveden v /etc/passwd (a treba ani nema heslo v /etc/shadow),
tak se prihlasit lze.

> > Pidil jsem se po tom, kde je problem a zjistil jsem, ze se linuxu nejak
> > nedari urcit uzivatele, pokud neni zaroven s LDAPem zaveden v
> > /etc/passwd: (na konci druheho radku chybi user=tmapy)
> > 
> > po prikazu
> > $ su - tmapy
> > Password: 
> > su: incorrect password
> > $ 
> > 
> > a v logu je:
> > Apr  8 12:04:17 marek su(pam_unix)[3008]: check pass; user unknown
> > Apr  8 12:04:17 marek su(pam_unix)[3008]: authentication failure; 
> >      logname=root uid=1000 euid=0 tty= ruser=tmapy rhost= 
> 
> Mate neco jako nss_ldap, aby byli uzivatele v LDAP videt z funkci
> getpwnam() et al? Pokud ne, tak to pam_unix zjevne nerozchodi.

Ja doufam, ze to mam. Bohuzel se v problematice jeste presne
neorientuji, ale prikladam nastaveni, o kterych si myslim, ze s tim maji
neco spolecneho:


Obsah souboru v /etc/pam.d/

[root na localhost]# cat system-auth
----
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so \
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 \
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok \
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
----


[root na localhost]# cat su
----
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
# group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" 
# group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required     /lib/security/$ISA/pam_stack.so \
service=system-auth
account    required     /lib/security/$ISA/pam_stack.so \
service=system-auth
password   required     /lib/security/$ISA/pam_stack.so \
service=system-auth
session    required     /lib/security/$ISA/pam_stack.so \
service=system-auth
session    optional     /lib/security/$ISA/pam_xauth.so
----


vypis bez komentaru:

===============================
[root na localhost]# grep -v '^#\|^[ ]*$' /etc/ldap.conf 
host 127.0.0.1
base dc=tmapy,dc=cz
nss_base_passwd dc=tmapy,dc=cz?sub
nss_base_shadow dc=tmapy,dc=cz?sub
nss_base_group  ou=Groups,dc=tmapy,dc=cz?one
ssl no
pam_password md5


===============================
[root na localhost]# grep -v '^#\|^[ ]*$' /etc/openldap/ldap.conf 
HOST 127.0.0.1
BASE dc=tmapy,dc=cz



> Mate neco jako nss_ldap, aby byli uzivatele v LDAP videt z funkci
> getpwnam() et al? Pokud ne, tak to pam_unix zjevne nerozchodi.

Jak mohu zjistit co dana funkce vraci, bez programovani v C? Moc bych to
chtel nejak zjistit, ale nevim, jak to problem rozlozit na prvocinitele
a zjistit puvodce problemu.


Pavel





-- 
Pavel Lisy <pali na tmapy.cz>
T-MAPY spol. s r.o.

Další informace o konferenci Linux