PAM changes? (was: Re: NSS changes in releng/10.2?)
Patrick M. Hausen
hausen at punkt.de
Mon Nov 23 16:09:50 UTC 2015
Hi, all,
sorry for not trying this earlier and now replying to myself, but I'm
slowly making progress isolating the problem.
> Am 23.11.2015 um 15:42 schrieb Patrick M. Hausen <hausen at punkt.de>:
>
> Hi, all,
>
> I just upgraded an older system from 8.4 to 10.2 in a single go.
> No unexpected problems, until I tried to use "su":
>
> $ su -
> su: Sorry
>
> Well, I *am* a member of the wheel group:
>
> $ id
> uid=10093(ry93) gid=10001(intern) groups=10001(intern),0(wheel),10002(entwickler)
>
> Hmmm ... we pull all this information from LDAP. My nsswitch.conf has always been:
>
> group: files cache ldap
> passwd: files cache ldap
And this part seems to be just as valid and working as before. I had the implicit
assumption that su(1) was using something like getgroups() to determine if I am
a member of "wheel" - which it doesn't. I even hacked up 5 lines of C to quickly
get my supplementary group list and lo and behold:
$ ./groups
10002
0
10001
So, it is not NSS' or LDAP's fault.
I just looked at the source for su(1) and it looks like it uses PAM to check if
I am authorized to su to root:
retcode = pam_authenticate(pamh, 0);
if (retcode != PAM_SUCCESS) {
syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s",
username, user, mytty);
errx(1, "Sorry");
My /etc/pam.d/system looks like this:
----------- system -----------
#
# $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des $
#
# System-wide defaults
#
# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass
auth required pam_unix.so no_warn try_first_pass nullok
# account
#account required pam_krb5.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
# password
#password sufficient pam_krb5.so no_warn try_first_pass
password required pam_unix.so no_warn try_first_pass
----------------------
And /etc/pam.d/su like this:
----------- su -----------
#
# $FreeBSD: releng/10.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
#
# PAM configuration for the "su" service
#
# auth
auth sufficient pam_rootok.so no_warn
auth sufficient pam_self.so no_warn
auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser
auth include system
# account
account include system
# session
session required pam_permit.so
----------------------
Any changes that I missed on the way from 8.4 to 10.2? Unfortunately
I do not have an older 10.x system that runs with an Active Directory connection.
Only 8.4 ones - this one was the first to finally get updated to a current FreeBSD
version.
As I stated this PAM configuration works as intended on 8.4. I generated the
10.2 files above by running mergemaster.
Thanks,
Patrick
--
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info at punkt.de http://www.punkt.de
Gf: Jürgen Egeling AG Mannheim 108285
More information about the freebsd-stable
mailing list