[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Shadow password & pam_unix_acct.so



Giuseppe Lo Biondo wrote:
> 
> Hi!
> 
> I have the following problem:
> 
> I'm trying to use the pam_ldap.so module whith shadow capabilities.
> 
> In the file /etc/pam.d/login I have:
> 
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_unix_acct.so
> 
> this means thet if pam_ldap.so doesn't return SUCCES or PAM_AUTHTOKEN_REQD
> then the module pam_unix_acct.so will be used.
> 
> If an account is expired pam_ldap.so returns PAM_ACCT_EXPIRED, and the
> result from pam_unix_acct.so is evaluated.
> 
> pam_unix_acct.so uses getsp* to get shadow info: having nss_ldap.so
> this information is taken from LDAP + local files.
> 
> Anyway this doesn't work, I had to modify the file pam_unix_acct.c
> (Linux-PAM-0.72) that in the lines 129-136 states:
> 
>    129                  }
>    130
>    131          } else if (!strcmp( pwent->pw_passwd, "x" )) {
>    132                  spent = getspnam(uname);
>    133          } else {
>    134                  return PAM_SUCCESS;
>    135          }
>    136
> 
> into
> 
>    129                  }
>    130
>    131          } else if (strcmp( pwent->pw_passwd, "x" )) {
>    132                  spent = getspnam(uname);
>    133          } else {
>    134                  return PAM_SUCCESS;
>    135          }
>    136
> 
> since if the call for getpwent returns an x in the passorwd field I want
> to look into the shadow password.

Ok, so you tried to change this to opposite.  What's been there was right,
what's you changed was wrong.  If pw_passwd field have "x" value, strcmp will
return 0, and your modified pam_unix will try to access shadow only if that
field's value is _not_ "x".

> Without this change I was always granted access to shadow users (since
> nss_ldap correctly returns an x if the user is in the shadow). With this
> modification everything works. Anyway, since I don't know the whole code I
> wonder if someone can tell if this is really a bug or my problem is
> elsewere.

If nss_ldap returns "x" in case of shadowing password (I don't know how
things implemeted in ldap; f.e. in nis+, there is only one table
that holds all user's information, there is no "shadow" at all, but
it works with getpwnam() _and_ getspnam() returning just different
columns in each case), then things should just work out of the box.
I have no idea why it doesn't works.

Ok, some thoughts around.

o If you have correctly working (read: compatible with traditional
  getspent/getpwent) nss_ldap, you does not need pam_ldap module
  in acct/auth/session stack at all, pam_unix should do the work
  just fine by itself.
o Question for pam library gurus (Andrew?): how sufficient/required
  handled in case module returns conditions like
  PAM_NEW_AUTHTOK_REQD, PAM_ACCOUNT_EXPIRED, PAM_INCOMPLETE?
  Example given above -- stacking pam_ldap with `sufficient' flag
  and pam_unix with `required'.  If first returns EXPIRED, and
  second returns some error (e.g. if shadow entry unavailable to
  pam_unix (if nss_ldap does not return it -- just a hypotetical
  case), but it is available to pam_ldap) -- in this case,
  pam should probably ignore return value of pam_unix and should
  return EXPIRED to app from pam_ldap...
  I ask this with my own work in mind -- probably pam_unix should
  return PAM_IGNORE in this case, and for this there should be a
  flag for it to do so.
o Maybe problem with this particular case is exactly in previous
  statement?  What's happened if _both_ modules returns
  PAM_ACCT_EXPIRED?

Regards,
 Michael.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []