trouble configuring pam using pam_ldap and pam_mount

Dan Yefimov dan at ns15.lightwave.net.ru
Mon Jul 30 13:05:26 UTC 2007 

On Sun, 29 Jul 2007, Heiko Harders wrote:

> Some hours off trial and error later I still don't have it working... 
> but I can't understand why. The configurations I tried should (as seen 
> from my logic) work, but they don't. A few examples of configurations I 
> tried are listed below (by the way, I use Ubuntu 7.04 'Feisty Fawn' 
> clients, I didn't mention it before, but I thought it might be important):
> 
> ## common-account (I changed this a bit according to an article I found, 
> written by Martin Schwenke):
> account    requisite    pam_unix.so
> account sufficient    pam_localuser.so
> account required    pam_ldap.so
> 
> ## common-auth:
> # first authenticate for pam_mount, this is the only way (as far as I 
> know) to
> # prefent multiple password requests (as it seems 'use_first_pass' doesn't
> # work for pam_mount.so)
> auth    required    pam_mount.so
> auth    sufficient    pam_ldap.so use_first_pass
> auth    required    pam_unix.so nulluk_secure use_first_pass
> 
> 
> Next are the different versions of 'common-session' I tried.
> ## common-session [VERSION 1]:
> session    optional    pam_foreground.so
> session    requisite    pam_unix.so
> # the following line jumps over the mounting
> # but off course... it does for all users... (as expected)
> session    [default=1]    pam_localuser.so
> session    required    pam_mount.so
> session    required    pam_ldap.so
> 
> ## common-session [VERSION 2]:
> session    optional    pam_foreground.so
> session    requisite    pam_unix.so
> # the following line doens't seem to have any effect
> # mounting is executed for local users and users in the ldap server
> # I would have expected pam would terminate after this line
> # when a local user logs on (because of the 'sufficient' control value)
> session    sufficient   pam_localuser.so
> session    required    pam_mount.so
> session    required    pam_ldap.so
> 
> ## common-session [VERSION 3]:
> session    optional    pam_foreground.so
> session    requisite   pam_unix.so
> # the following line gives 'su: Module is unknown' after
> # the request for the password
> session    [user_unknown=ignore default=done]    pam_localuser.so
> session    required    pam_mount.so
> session    required    pam_ldap.so
> 
> ## common-session [VERSION 4]:
> session    optional    pam_foreground.so
> session    requisite    pam_unix.so
> # the following line doesn't mount anything, not for
> # local users and not for ldap users
> # (in either case 'ok' or 'ignore')
> session    [user_unknown=ok/ignore default=2]    pam_localuser.so
> session    required    pam_mount.so
> session    required    pam_ldap.so
> 
> ## common-session [VERSION 5]:
> session    optional    pam_foreground.so
> # the following line does also mounting for local users
> # (I also found this in the article by Martin Schwenke and adapted it a bit)
> session    [success=ok new_authtok_reqd=ok ignore=2 \
>         authinfo_unavail=ignore user_unknown=ignore default=bad] 
> pam_ldap.so \
>         ignore_unknown_user
> session    required    pam_mount.so
> session    required    pam_ldap.so
> session    requisite    pam_unix.so
> 
> So still no success. As I said before, loging on works for local users 
> and for users in the LDAP. Mounting also works for the users in the 
> LDAP, but I would like to prefent the execution of the
> pam_mount for local users (because these users don't need mounting and 
> if there is an user in
> the LDAP with the same username/password combo, his/her homedir is 
> mounted on top of the local
> homedir. I would like to make sure local users are more important).
> 
> Some other details that might be important: for testing the 
> configurations I use 'su' (its the fastest way), but quite a few times I 
> also tried login in with gdm (Gnome). There seems to be no difference, 
> and in my
> view that seems logical, because I only edit the /etc/pam.d/common-*  
> files (I don't edit any of the other files in that directory).
> 
> Is there anybody who could explain why the listed examples don't work? 
> And what about my approach? Jose Plans already suggested using 'autofs', 
> but it seems to me that using pam_mount would be a cleaner approach. 
> Anyone any ideas on this? Is my approach perhaps outdated?
> 
The matter is that pam_localuser.so operates only in account stack (check
README file in the pam_localuser source directory). That means mounting should
be performed in account stack too. If pam_mount.so cannot operate in account 
stack (consult with pam_mount documentation), pam_localuser.so cannot help you. 
You could however patch pam_localuser source so that it can operate also in 
session stack in order to be helpful for you.
-- 

    Sincerely Your, Dan.

More information about the Pam-list mailing list