trouble configuring pam using pam_ldap and pam_mount
Heiko Harders
harders at fmf.nl
Mon Jul 30 13:43:14 UTC 2007
Wilhelm Meier wrote:
> Am Samstag, 28. Juli 2007 21:30 schrieb Heiko Harders:
>
>> <snip>
>>
> What about uid's. Normally the local user uid's occupy a different range, say
> e.g. 0 - 1000 and the ldap uid's are above that range. I don't no if
> pam_mount can distinguish this, but pam_cifs can do that.
>
I tried working with uid's and gid's (but did it a little different then
what you told), this is the configuration I used, my local users have
id's below 2000 and my ldap users have id's above 2000:
session optional pam_foreground.so
session [default=2 success=ignore] pam_succeed_if.so quiet uid > 2000
session required pam_mount.so
session sufficient pam_ldap.so
session required pam_unix.so
But this also doens't work... I got this example literally from the
online documentation
(example on the bottom of this page:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_succeed_if.html).
But with whatever uid I logon (tried su and tried gdm) it always does
the default thing, so it skips lines 3 and 4.
I checked the user id's of the users after logging on (with command
'id'). For my ldap user it was 2002, for my local user it was 1000. So
that couldn't be the problem.
Dan Yefimov wrote:
> On Sun, 29 Jul 2007, Heiko Harders wrote:
>
>> <snip>
>>
> The matter is that pam_localuser.so operates only in account stack (check
> README file in the pam_localuser source directory).
I checked this out online to make sure this wasn't the problem. In the
online documentation
(http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_localuser.html)
I found: "All services (account, auth, password and session) are
supported." So I ruled this out and was convinced this wasn't a problem.
But perhaps that online documentation isn't correct.
> That means mounting should
> be performed in account stack too. If pam_mount.so cannot operate in account
> stack (consult with pam_mount documentation), pam_localuser.so cannot help you.
>
I think (but am not sure) pam_mount can not operate in account stack.
The documentation is very limited and doesn't say anything about that.
> You could however patch pam_localuser source so that it can operate also in
> session stack in order to be helpful for you.
>
That's something I will consider after I've made sure the online
documentation I found is indeed incorrect (and you are right about
pam_localuser isn't able to operate in session stack).
I thought it might help if I used this module:
http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_loginuid.html
However I'm not sure what exactly it is for, I thought it might be
necessary for correctly identifying the uid of the user which logs on?
Anyway, this module isn't installed on my system, a quick search on the
internet provided that 'Linux SE' (security enhanced linux) is needed
for this. But there is not much I can find about this issue.
Another problem that occured is that my 'gksu' is broken by 'auth
required pam_mount.so' (that seems to be a common problem and I didn't
find a solution for it yet, any comments on that are also welcome). So
after three days of trial and nothing but error ;-) and considering the
problem with gksu I'm thinking about dropping pam_mount and try some
other approach. But I don't want to give up to soon, so any thoughts on
these problems are still very welcome.
Greetings,
Heiko
More information about the Pam-list
mailing list