Problem with user root
Joe Lewis
joe at joe-lewis.com
Fri May 21 15:34:49 UTC 2004
I did a quick search on google using "pam_ldap down root access", and the
first link provided the following information :
[...snip...]
account [ authinfo_unavail=ignore ignore=ignore success=ok
default=bad ]\
/lib/security/pam_ldap.so ignore_unknown_user
[...snip...]
authinfo_unavail=ignore: if the LDAP server dies, pam_ldap will
return the error code 'authinfo_unavail.' If this code is not
ignored, then even root won't be able to log in.
In YOUR configuration, you had service_err=ignore, and system_err=ignore,
but no authinfo_unavail=ignore. Put this in and see if things work
better. Perhaps this is what you are experiencing?
Joe
> Hi,
>
> I've added in the /etc/pam.d/system-auth the next line
>
> auth sufficient /lib/security/pam_rootok.so
>
> but the user root can't login in the system yet.
>
> In the logs, I get the next error messages:
>
> login: pam_ldap: ldap_simple_bind Can't contact LDAP server
> login: Authentication service cannot retrieve authentication info
>
> I've probed with pam_localuser.so too, but I get the same error.
>
>
>
>>From: "Tay, Gary" <Gary_Tay at platts.com>
>>Reply-To: Pluggable Authentication Modules <pam-list at redhat.com>
>>To: "Pluggable Authentication Modules" <pam-list at redhat.com>
>>Subject: RE: Problem with user root
>>Date: Fri, 21 May 2004 17:00:46 +0800
>>
>>Hi,
>>
>>Just guessing, u may want to add "rootok" somewhere...
>>
>>See /usr/share/doc/pam-0.75/txts/README.pam_rootok, and all text files
>>in the txts dir.
>>
>>Rgds
>>Gary
>>
>># $Id: README,v 1.1.1.1 2000/06/20 22:11:56 agmorgan Exp $
>>#
>>
>>this module is an authentication module that performs one task: if the
>>id of the user is '0' then it returns 'PAM_SUCCESS' with the
>>'sufficient' /etc/pam.conf control flag it can be used to allow
>>password free access to some service for 'root'
>>
>>Recognized arguments:
>>
>> debug write a message to syslog indicating success or
>> failure.
>>
>>module services provided:
>>
>> auth _authentication and _setcred (blank)
>>
>>Andrew Morgan
>>
>>
>>-----Original Message-----
>>From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
>>On Behalf Of Javier Ferruz Rodriguez
>>Sent: Friday, May 21, 2004 4:23 PM
>>To: pam-list at redhat.com
>>Subject: Problem with user root
>>
>>
>>Hi,
>>
>>I've configured my RHEL 2.1 AS for authentication users in LDAP. My LDAP
>>
>>server is SunOne Directory 5.2
>>
>>My /etc/nsswitch.conf file is
>>
>>password files ldap
>>group files ldap
>>shadow files ldap
>>
>>My /etc/pam.d/login
>>
>>auth required /lib/security/pam_securetty.so
>>auth required /lib/security/pam_stack.so service=system-auth
>>auth required /lib/security/pam_nologin.so
>>account required /lib/security/pam_stack.so service=system-auth
>>password required /lib/security/pam_stack.so service=system-auth
>>session required /lib/security/pam_stack.so service=system-auth
>>session required /lib/security/pam_mkhomedir.so skel=/etc/skel
>>umask=0022
>>session optional /lib/security/pam_console.so
>>
>>
>>My /etc/pam.d/system-auth is
>>
>>auth required /lib/security/pam_env.so
>>auth sufficient /lib/security/pam_unix.so likeauth nullok
>>auth sufficient /lib/security/pam_ldap.so use_first_pass
>>auth required /lib/security/pam_deny.so
>>account required /lib/security/pam_unix.so
>>account [default=bad success=ok user_unknown=ignore
>>service_err=ignore
>>system_err=ignore] /lib/security/pam_ldap.so
>>password required /lib/security/pam_cracklib.so retry=3 type=
>>password sufficient /lib/security/pam_unix.so nullok use_authtok
>>md5
>>shadow
>>password sufficient /lib/security/pam_ldap.so use_authtok
>>password required /lib/security/pam_deny.so
>>session required /lib/security/pam_limits.so
>>session required /lib/security/pam_unix.so
>>session optional /lib/security/pam_ldap.so
>>
>>The configuration is OK when the LDAP server is running. All users are
>>validated in the LDAP server except root.
>>
>>When the LDAP server is down, root can't validate in the system. Why?
>>
>>Can anybody help me?
>>
>>Thanks in advance,
>>
>>_________________________________________________________________
>>Add photos to your e-mail with MSN 8. Get 2 months FREE*.
>>http://join.msn.com/?page=features/featuredemail
>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-list at redhat.com https://www.redhat.com/mailman/listinfo/pam-list
>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-list at redhat.com
>>https://www.redhat.com/mailman/listinfo/pam-list
>
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
Joe Lewis
More information about the Pam-list
mailing list