trouble configuring pam using pam_ldap and pam_mount

Wilhelm Meier wilhelm.meier at fh-kl.de
Mon Jul 30 14:27:28 UTC 2007


Am Montag, 30. Juli 2007 15:43 schrieb Heiko Harders:
> Wilhelm Meier wrote:
> > Am Samstag, 28. Juli 2007 21:30 schrieb Heiko Harders:
> >> <snip>
> >
> > What about uid's. Normally the local user uid's occupy a different range,
> > say e.g. 0 - 1000 and the ldap uid's are above that range. I don't no if
> > pam_mount can distinguish this, but pam_cifs can do that.
>
> I tried working with uid's and gid's (but did it a little different then
> what you told), this is the configuration I used, my local users have
> id's below 2000 and my ldap users have id's above 2000:
>
> session    optional    pam_foreground.so
> session    [default=2 success=ignore]    pam_succeed_if.so quiet uid > 2000
> session    required    pam_mount.so
> session    sufficient    pam_ldap.so
> session    required    pam_unix.so
>
> But this also doens't work... I got this example literally from the
> online documentation
> (example on the bottom of this page:
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_succeed_if.
>html). But with whatever uid I logon (tried su and tried gdm) it always does
> the default thing, so it skips lines 3 and 4.
> I checked the user id's of the users after logging on (with command
> 'id'). For my ldap user it was 2002, for my local user it was 1000. So
> that couldn't be the problem.

please show us the logs (add the debug option to every module)

>
> Dan Yefimov wrote:
> > On Sun, 29 Jul 2007, Heiko Harders wrote:
> >> <snip>
> >
> > The matter is that pam_localuser.so operates only in account stack (check
> > README file in the pam_localuser source directory).
>
> I checked this out online to make sure this wasn't the problem. In the
> online documentation
> (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_localuser.
>html) I found: "All services (account, auth, password and session) are
> supported." So I ruled this out and was convinced this wasn't a problem.
> But perhaps that online documentation isn't correct.
>
> > That means mounting should
> > be performed in account stack too. If pam_mount.so cannot operate in
> > account stack (consult with pam_mount documentation), pam_localuser.so
> > cannot help you.
>
> I think (but am not sure) pam_mount can not operate in account stack.
> The documentation is very limited and doesn't say anything about that.
>
> > You could however patch pam_localuser source so that it can operate also
> > in session stack in order to be helpful for you.
>
> That's something I will consider after I've made sure the online
> documentation I found is indeed incorrect (and you are right about
> pam_localuser isn't able to operate in session stack).
>
> I thought it might help if I used this module:
> http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_loginuid.ht
>ml However I'm not sure what exactly it is for, I thought it might be
> necessary for correctly identifying the uid of the user which logs on?
> Anyway, this module isn't installed on my system, a quick search on the
> internet provided that 'Linux SE' (security enhanced linux) is needed for
> this. But there is not much I can find about this issue.
>
> Another problem that occured is that my 'gksu' is broken by 'auth
> required pam_mount.so' (that seems to be a common problem and I didn't
> find a solution for it yet, any comments on that are also welcome). So
> after three days of trial and nothing but error ;-) and considering the
> problem with gksu I'm thinking about dropping pam_mount and try some
> other approach. But I don't want to give up to soon, so any thoughts on
> these problems are still very welcome.
>
> Greetings,
> Heiko
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list

-- 
Wilhelm




More information about the Pam-list mailing list