Overovani vuci LDAP

Pavel Lisy pali na tmapy.cz
Pondělí Březen 10 11:05:33 CET 2003 

Dobry den

pri nastaveni overovani uzivatelu vuci LDAP serveru jsem narazil na
problem. 

Cele reseni je soucasti moji snahy rozjet SAMBA-LDAP serverni pro sit s
windows. Postupuji podle navodu/howto, ktere spracovala firma idealx.
Nyni je jiz soucasti distribuce samby (2.2.7), resp. nejnovejsich rpm
balicku. 

Problem se ale netyka tolik samby. Vytvoril jsem si ucet, zadal mu
heslo. To ale funguje pri prihlaseni pres ssh
napr. zadam:

ssh user na localhost
heslo

jsem prihlasen

pri pokusu
su - user
heslo

dostanu odpoved
chybne heslo

O preklep se nejedna, zkousel jsem to mnohokrat.

Kde mam hledat problem? Je mozne nejak trasovat, co se pri tom deje a
kde k problemu vlastne dochazi.

Napadlo me, ze to souvisi s PAM, tak jsem koukal do /etc/pam.d/

[root na localhost]# cat system-auth
----
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so \
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 \
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok \
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
----


[root na localhost]# cat su
----
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
# group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" 
# group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required	/lib/security/$ISA/pam_stack.so \
service=system-auth
account    required	/lib/security/$ISA/pam_stack.so \
service=system-auth
password   required	/lib/security/$ISA/pam_stack.so \
service=system-auth
session    required	/lib/security/$ISA/pam_stack.so \
service=system-auth
session    optional	/lib/security/$ISA/pam_xauth.so
----

Coz mi jako laikovi pripada, ze je to v poradku.

Co s tim?

Pavel


-- 
Pavel Lisy <pali na tmapy.cz>
T-MAPY spol. s r.o.

Další informace o konferenci Linux