problem with command order in auth block

Michael Hamann mail at mhamann.net
Mon May 9 11:16:49 UTC 2005 

Hey,

I´m playing with some pam modules to set up a linux workstation system
integrated in an active directory including the mapping of home and
groupdirectories.

To mount the shares after login I need to save the password temporarily
what I do with a pam modules pam_storepw in the "auth" section.

Almost everything works fine for me except the fact that I can´t combine
winbind and unix authentication plus the pam_storepw module.

for example my /etc/pam.d/gdm

### Auth Settings

auth                required        pam_env.so
auth                sufficient      pam_winbind.so
auth                required        pam_unix.so try_first_pass
auth                required        pam_storepw.so
auth                required        pam_nologin.so

Here the problem is, if I successfully auth against winbind, the store_pw
is not executed.

my /var/log/auth:

May  9 13:00:42 localhost pam_winbind[19655]: user 'tglatzel' granted access
May  9 13:00:42 localhost pam_winbind[19655]: user 'tglatzel' granted access
May  9 13:00:42 localhost gdm[19655]: (pam_unix) session opened for user
tglatzel by (uid=0)

I can login but the password module is not executed.

If I change my pam configuration for gdm to:

auth                required        pam_env.so
auth                required        pam_winbind.so
# auth                required        pam_unix.so try_first_pass
auth                required        pam_storepw.so
auth                required        pam_nologin.so

then I can login (only auth with winbind) and get the following logfile.
In this case it works exactly the way I want it to but I can´t login with
local user accounts...

May  9 13:11:57 localhost pam_winbind[1684]: user 'tglatzel' granted access
May  9 13:11:57 localhost pam_storepw[1684]: PAM StorePW is running
May  9 13:11:57 localhost pam_storepw[1684]: writing to
/var/run/pw/tglatzel.pw
May  9 13:11:57 localhost gdm[1684]: Sending QUERYLOGIN == tglatzel for
slave 1684
May  9 13:11:57 localhost gdm[1684]: Sending QUERYLOGIN 1684 tglatzel
May  9 13:11:57 localhost pam_winbind[1684]: user 'tglatzel' granted access
May  9 13:11:58 localhost gdm[1684]: (pam_unix) session opened for user
tglatzel by (uid=0)

I would like to combine auth against local system via unix users and in a
second step against the active directory via winbind...

I think I made a mistake in the order of the auth commands...

Does anybody has a clue on how to fix this?

Thank you
Michael

More information about the Pam-list mailing list