trouble configuring pam using pam_ldap and pam_mount

Mon Jul 30 13:43:14 UTC 2007

Wilhelm Meier wrote:
> Am Samstag, 28. Juli 2007 21:30 schrieb Heiko Harders:
>   
>> <snip>
>>     
> What about uid's. Normally the local user uid's occupy a different range, say 
> e.g. 0 - 1000 and the ldap uid's are above that range. I don't no if 
> pam_mount can distinguish this, but pam_cifs can do that. 
>   
I tried working with uid's and gid's (but did it a little different then 
what you told), this is the configuration I used, my local users have 
id's below 2000 and my ldap users have id's above 2000:

session    optional    pam_foreground.so
session    [default=2 success=ignore]    pam_succeed_if.so quiet uid > 2000
session    required    pam_mount.so
session    sufficient    pam_ldap.so
session    required    pam_unix.so

But this also doens't work... I got this example literally from the 
online documentation
(example on the bottom of this page: 
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_succeed_if.html). 
But with whatever uid I logon (tried su and tried gdm) it always does 
the default thing, so it skips lines 3 and 4.
I checked the user id's of the users after logging on (with command 
'id'). For my ldap user it was 2002, for my local user it was 1000. So 
that couldn't be the problem.

Dan Yefimov wrote:
> On Sun, 29 Jul 2007, Heiko Harders wrote:
>   
>> <snip>
>>     
> The matter is that pam_localuser.so operates only in account stack (check
> README file in the pam_localuser source directory). 
I checked this out online to make sure this wasn't the problem. In the 
online documentation 
(http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_localuser.html) 
I found: "All services (account, auth, password and session) are 
supported." So I ruled this out and was convinced this wasn't a problem. 
But perhaps that online documentation isn't correct.
> That means mounting should
> be performed in account stack too. If pam_mount.so cannot operate in account 
> stack (consult with pam_mount documentation), pam_localuser.so cannot help you. 
>   
I think (but am not sure) pam_mount can not operate in account stack. 
The documentation is very limited and doesn't say anything about that.
> You could however patch pam_localuser source so that it can operate also in 
> session stack in order to be helpful for you.
>   
That's something I will consider after I've made sure the online 
documentation I found is indeed incorrect (and you are right about 
pam_localuser isn't able to operate in session stack).

I thought it might help if I used this module:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_loginuid.html
However I'm not sure what exactly it is for, I thought it might be 
necessary for correctly identifying the uid of the user which logs on? 
Anyway, this module isn't installed on my system, a quick search on the 
internet provided that 'Linux SE' (security enhanced linux) is needed 
for this. But there is not much I can find about this issue.

Another problem that occured is that my 'gksu' is broken by 'auth 
required pam_mount.so' (that seems to be a common problem and I didn't 
find a solution for it yet, any comments on that are also welcome). So 
after three days of trial and nothing but error ;-) and considering the 
problem with gksu I'm thinking about dropping pam_mount and try some 
other approach. But I don't want to give up to soon, so any thoughts on 
these problems are still very welcome.

Greetings,
Heiko