<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:x="urn:schemas-microsoft-com:office:excel" xmlns:p="urn:schemas-microsoft-com:office:powerpoint" xmlns:a="urn:schemas-microsoft-com:office:access" xmlns:dt="uuid:C2F41010-65B3-11d1-A29F-00AA00C14882" xmlns:s="uuid:BDC6E3F0-6DA3-11d1-A2A3-00AA00C14882" xmlns:rs="urn:schemas-microsoft-com:rowset" xmlns:z="#RowsetSchema" xmlns:b="urn:schemas-microsoft-com:office:publisher" xmlns:ss="urn:schemas-microsoft-com:office:spreadsheet" xmlns:c="urn:schemas-microsoft-com:office:component:spreadsheet" xmlns:odc="urn:schemas-microsoft-com:office:odc" xmlns:oa="urn:schemas-microsoft-com:office:activation" xmlns:html="http://www.w3.org/TR/REC-html40" xmlns:q="http://schemas.xmlsoap.org/soap/envelope/" xmlns:D="DAV:" xmlns:x2="http://schemas.microsoft.com/office/excel/2003/xml" xmlns:ois="http://schemas.microsoft.com/sharepoint/soap/ois/" xmlns:dir="http://schemas.microsoft.com/sharepoint/soap/directory/" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" xmlns:dsp="http://schemas.microsoft.com/sharepoint/dsp" xmlns:udc="http://schemas.microsoft.com/data/udc" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:sub="http://schemas.microsoft.com/sharepoint/soap/2002/1/alerts/" xmlns:ec="http://www.w3.org/2001/04/xmlenc#" xmlns:sp="http://schemas.microsoft.com/sharepoint/" xmlns:sps="http://schemas.microsoft.com/sharepoint/soap/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:udcs="http://schemas.microsoft.com/data/udc/soap" xmlns:udcxf="http://schemas.microsoft.com/data/udc/xmlfile" xmlns:udcp2p="http://schemas.microsoft.com/data/udc/parttopart" xmlns:wf="http://schemas.microsoft.com/sharepoint/soap/workflow/" xmlns:dsss="http://schemas.microsoft.com/office/2006/digsig-setup" xmlns:dssi="http://schemas.microsoft.com/office/2006/digsig" xmlns:mdssi="http://schemas.openxmlformats.org/package/2006/digital-signature" xmlns:mver="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns:mrels="http://schemas.openxmlformats.org/package/2006/relationships" xmlns:spwp="http://microsoft.com/sharepoint/webpartpages" xmlns:ex12t="http://schemas.microsoft.com/exchange/services/2006/types" xmlns:ex12m="http://schemas.microsoft.com/exchange/services/2006/messages" xmlns:pptsl="http://schemas.microsoft.com/sharepoint/soap/SlideLibrary/" xmlns:spsl="http://microsoft.com/webservices/SharePointPortalServer/PublishedLinksService" xmlns:Z="urn:schemas-microsoft-com:" xmlns:st="" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv=Content-Type content="text/html; charset=us-ascii"> <meta name=Generator content="Microsoft Word 12 (filtered medium)"> <style>  </style>  </head> <body lang=EN-US link=blue vlink=purple> <div class=Section1> Getent shows the correct group entries, so I think PAM is still the problem.<o:p></o:p> <o:p> </o:p> I was able to reproduce the whole problem on local SLES9sp2 and SLES10sp1 systems<o:p></o:p> <o:p> </o:p> I created 4000 users named user1000-user4999 (uid1000-4999)<o:p></o:p> Users have a primary group of some other group, and the secondary group of "allowed"<o:p></o:p> <o:p> </o:p> Set up PAM as the following (obviously extremely basic):<o:p></o:p> <o:p> </o:p> /etc/security/access.conf <o:p></o:p> # allow root from anywhere<o:p></o:p> +:root:ALL<o:p></o:p> # the only non-root users allowed are in the group "allowed"<o:p></o:p> +:allowed:ALL<o:p></o:p> # disallow all other logins<o:p></o:p> -:ALL:ALL<o:p></o:p> <o:p> </o:p> /etc/pam.d/sshd<o:p></o:p> account required pam_access.so<o:p></o:p> <o:p> </o:p> On the SLES9sp2 system, I was able to put all 4000 users into the "allowed" group, and<o:p></o:p> all 4000 users were able log in with no problem.<o:p></o:p> <o:p> </o:p> I repeated the experiment on the SLES10sp1 system, and ran into a problem at user1962.<o:p></o:p> Not only does user1962 have problems, but ALL the users in the group fail. <o:p></o:p> <o:p> </o:p> add users user1000-user1961 to "allowed" in /etc/group, see user1961 can log in (from the /var/log/messages file)<o:p></o:p> <o:p> </o:p> Feb 4 17:35:54 src@blox sshd 26 [auth.info] sshd[21697]: Accepted keyboard-interactive/pam for user1961 from 172.30.31.44 port 23054 ssh2<o:p></o:p> <o:p> </o:p> add user1962 to group "allowed" & try to ssh user1962, then try to ssh user1961 (which just got in a minute before)<o:p></o:p> Feb 4 17:36:11 src@blox sshd 53 [authpriv.err] sshd[21791]: pam_access(sshd:account): access denied for user `user1962\' from `iss-eth100.us.cray.com\'<o:p></o:p> Feb 4 17:36:11 src@blox sshd 23 [auth.err] sshd[21789]: error: PAM: Permission denied for user1962 from iss-eth100.us.cray.com<o:p></o:p> Feb 4 17:36:27 src@blox sshd 53 [authpriv.err] sshd[21816]: pam_access(sshd:account): access denied for user `user1961\' from `iss-eth100.us.cray.com\'<o:p></o:p> Feb 4 17:36:27 src@blox sshd 23 [auth.err] sshd[21814]: error: PAM: Permission denied for user1961 from iss-eth100.us.cray.com<o:p></o:p> <o:p> </o:p> "grep allowed /etc/group" shows the whole line, including user1000-user1962<o:p></o:p> wendy@blox:~> grep allowed /etc/group | wc -c<o:p></o:p> 8682<o:p></o:p> "getent group allowed" shows the whole group entry, including user1000-user1962<o:p></o:p> wendy@blox:~> getent group allowed | wc -c<o:p></o:p> 8682<o:p></o:p> <o:p> </o:p> I can't find anything else having problems in the system.<o:p></o:p> I wondered if this might be related to some kind of side-effect of ksh changing over from pdksh to ksh, but I can't figure out how.<o:p></o:p> It seems more like the build Novell did added some kind of limit that I can't find here.<o:p></o:p> <o:p> </o:p> <div style='border:none;border-left:solid blue 1.5pt;padding:0in 0in 0in 4.0pt'> <div> <div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'> From: pam-list-bounces@redhat.com [mailto:pam-list-bounces@redhat.com] On Behalf Of Jon Miller Sent: Wednesday, January 28, 2009 7:38 PM To: Pluggable Authentication Modules Subject: Re: pam list size limit?<o:p></o:p> </div> </div> <o:p> </o:p> The 'getent' command is independent of any other operations occurring on your machine, so it is quite harmless to test. For example, logging into your machine and running "getent group root" should simply show you the 'root' group entry. Now substitute 'root' for your group name and see how many members you see. You can have 'awk' count them for you. In the case of the 'root' group, I can issue the command "getent group root | awk -F, '{ print NF }'". See if the count is what you are expecting. If you are not getting the expected +2500 entries then you know it is not a PAM issue. -- Jon Miller<o:p></o:p> <div> 2009/1/28 Wendy Palm <<a href="mailto:wendy@cray.com">wendy@cray.com</a>><o:p></o:p> <div> <div> I can't test the getent command right now. we have a workaround in place that I'd have to disengage to test it out.<o:p></o:p> <o:p></o:p> I'm at SP1. Pam version in SP1 is 0.99.6.3-28.8 and didn't change in sp2 – are there any specific packages you might recommend updating to sp2? It's not feasible for me to wholesale change the whole system to sp2, so targeting packages for experimentation would be easier.<o:p></o:p> <o:p></o:p> <div style='border:none;border-left:solid windowtext 1.5pt;padding:0in 0in 0in 4.0pt; border-color:-moz-use-text-color -moz-use-text-color -moz-use-text-color blue'> <div> <div style='border:none;border-top:solid windowtext 1.0pt;padding:3.0pt 0in 0in 0in; border-color:-moz-use-text-color -moz-use-text-color'> From: <a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a> [mailto:<a href="mailto:pam-list-bounces@redhat.com" target="_blank">pam-list-bounces@redhat.com</a>] On Behalf Of Jon Miller Sent: Wednesday, January 28, 2009 6:06 PM To: Pluggable Authentication Modules Subject: Re: pam list size limit?<o:p></o:p> </div> </div> <div> <div> <o:p></o:p> Are you sure the issue is with pam_access? How many entries do you get when you run "getent group <grpname>" ? Finally, what level SP are you at on your SLES10 machine? If you're not at SP2, you could try updating to that. I've found SP2 to have solved a lot of issues. -- Jon Miller<o:p></o:p> <div> 2009/1/28 Wendy Palm <<a href="mailto:wendy@cray.com" target="_blank">wendy@cray.com</a>><o:p></o:p> <div> <div> We have a site that uses pam to regulate user logins, and has a unix group in excess of 2500 user entries which is specified in the access.conf file.<o:p></o:p> <o:p></o:p> They were running SLES9 (pam-0.77-221.4) and had no problems. However, updating to SLES10 (pam-0.99.6.3-28.8), they are now having problems with the group list truncating at about 1100 user entries.<o:p></o:p> <o:p></o:p> Was some default limit changed? I checked the archives, but didn't see anything blatent announcing this. I checked the ChangeLog in the source code and found an entry that is suspicious (2005-12-21 Tomas Mraz simplifying evaluate_ingroup), but again, nothing blatent.<o:p></o:p> <o:p></o:p> What is the limit? How can I change it (preferably without recompiling)? Is this at all possible?<o:p></o:p> <o:p></o:p> Thanks,<o:p></o:p> Wendy<o:p></o:p> <o:p></o:p> <o:p></o:p> <o:p></o:p> ---------------------------------<o:p></o:p> Wendy Palm<o:p></o:p> Security Software Engineer<o:p></o:p> wendy at cray dot com<o:p></o:p> <o:p></o:p> </div> </div> _______________________________________________ Pam-list mailing list <a href="mailto:Pam-list@redhat.com" target="_blank">Pam-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><o:p></o:p> </div> <o:p></o:p> </div> </div> </div> </div> </div> _______________________________________________ Pam-list mailing list <a href="mailto:Pam-list@redhat.com">Pam-list@redhat.com</a> <a href="https://www.redhat.com/mailman/listinfo/pam-list" target="_blank">https://www.redhat.com/mailman/listinfo/pam-list</a><o:p></o:p> </div> <o:p> </o:p> </div> </div> </body> </html>