Overovani vuci LDAP
Pavel Lisy
pali na tmapy.cz
Pondělí Březen 10 11:05:33 CET 2003
Dobry den
pri nastaveni overovani uzivatelu vuci LDAP serveru jsem narazil na
problem.
Cele reseni je soucasti moji snahy rozjet SAMBA-LDAP serverni pro sit s
windows. Postupuji podle navodu/howto, ktere spracovala firma idealx.
Nyni je jiz soucasti distribuce samby (2.2.7), resp. nejnovejsich rpm
balicku.
Problem se ale netyka tolik samby. Vytvoril jsem si ucet, zadal mu
heslo. To ale funguje pri prihlaseni pres ssh
napr. zadam:
ssh user na localhost
heslo
jsem prihlasen
pri pokusu
su - user
heslo
dostanu odpoved
chybne heslo
O preklep se nejedna, zkousel jsem to mnohokrat.
Kde mam hledat problem? Je mozne nejak trasovat, co se pri tom deje a
kde k problemu vlastne dochazi.
Napadlo me, ze to souvisi s PAM, tak jsem koukal do /etc/pam.d/
[root na localhost]# cat system-auth
----
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so \
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 \
type=
password sufficient /lib/security/$ISA/pam_unix.so nullok \
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
----
[root na localhost]# cat su
----
#%PAM-1.0
auth sufficient /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel"
# group.
#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel"
# group.
#auth required /lib/security/$ISA/pam_wheel.so use_uid
auth required /lib/security/$ISA/pam_stack.so \
service=system-auth
account required /lib/security/$ISA/pam_stack.so \
service=system-auth
password required /lib/security/$ISA/pam_stack.so \
service=system-auth
session required /lib/security/$ISA/pam_stack.so \
service=system-auth
session optional /lib/security/$ISA/pam_xauth.so
----
Coz mi jako laikovi pripada, ze je to v poradku.
Co s tim?
Pavel
--
Pavel Lisy <pali na tmapy.cz>
T-MAPY spol. s r.o.
Další informace o konferenci Linux