[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: pam/winbind user not found problem



On Thu, Jul 16, 2009 at 11:58, Les Mikesell<les futuresource com> wrote:
> This isn't strictly a PAM issue, but rather with the default RHEL5.x
> configuration (and Centos, and probably fedora).  Does anyone know what they
> were thinking?

Ostensibly, they were trying to authenticate system users without
passing said users' credentials on to winbind.  Whether intentional or
not, it seems they assumed users would have a UID that could be
resolved by pam_unix.  That's often the case, but with proper
enterprise-level user management (no local accounts) the assumption
breaks.

> Should most pam auth modules know anything about uid's?

By all means - auth is probably the most important place for UIDs/GIDs
to be known.

> I thought that was account info.  If the idea is to keep the 'system' accounts
> (below 500 by convention)in the passwd file, is there a better way to do it?

Probably should have used something to this effect instead of 'requisite':

[success=ok new_authtok_reqd=ok ignore=ignore default=die user_unknown=ignore]

Which is, of course, according to pam.conf(5) the same as 'requisite'
with the added control of ignoring unknown users.  Allows the stack to
shortcut if it's a system user with bad credentials but still passes
completely unresolved credentials on.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]