useradd vs system-config-users and pam

D G Teed donald.teed at gmail.com
Wed Jan 9 19:50:21 UTC 2008 

Hi,

Thanks for this suggestion.  I still don't understand why passwd and
useradd work OK on RHEL 5 while winbind is set up up for passwd
in nsswitch.conf .  Odd.  Anyway, keeping it to just "files" works fine
for AD based authentication, so that's great.

I might consider your method down the road when we have a larger
implementation of users to handle.

Regards,

--Donald

On Jan 8, 2008 10:58 AM, <Jonathan.Detert at msoe.edu> wrote:

> * D G Teed <donald.teed at gmail.com> [080108 07:43]:
> >    On RHEL 4, I have configured authentication for ssh access
> >    via Active Directory authentication, using the
> >    system-config-authentication
> >    GUI.  Users can login OK with either local authentication or AD
> >    authentication.
> >
> >    However, two system commands are misbehaving.  useradd refuses to
> >    add someone to the system if they are found in AD.  The error
> >    is simply in the form of  "useradd: user john exists".  I've heard
>
> I use MsA.D. for user auth and account info on Debian systems via pam.
>
> My guess is that you have more than one source listed in
> /etc/nsswitch.conf for the 'passwd:' name type, and that one of them
> indicates MsA.D. (probably 'ldap' or 'winbind').
>
> If you want to use MsAD solely for auth - i.e. not for anything else in
> the traditional passwd(5) entry (e.g. uid, gid, login shell, home dir),
> then remove the source in /etc/nsswitch.conf for the passwd: name type
> that uses MsAD.
>
> That would allow you to useradd and passwd to your heart's content, and
> only operate on the values in your local /etc/passwd file.  The only way
> you'd then use msad would be this:
>
>        if the username in /etc/passwd also existed in msad, you'd do
>        your auth against msad instead of /etc/shadow.  The value in
>        /etc/shadow would be immaterial (but shouldn't be null).
>
> You may have to modify /etc/pam.d/common-account to not use msad as well
> - I'm not sure.
>
> What I do, which you might be interested in, is to use msad for both
> auth and passwd(5) info (uid, gid, login-shell, home dir).  Note that
> this does require you to 'extend' your msad schema to include those
> posix login attributes (but ms provides this kind of extension as a free
> option).  The beauty of this is that combined w. pam_mkhomedir,
> pam_winbind, and pam_winbind's 'require_membership' attribute, you can
> use msad group membership to govern access to your linux server.  All
> you have to do is put the msad user in the appropriate msad group, and
> automatically, they have access to your linux server.  No useradd.  No
> setting the passwd.  Nothing.  Just put them in the msad group.
>
> Likewise, to revoke a user's access to your server, just remove the
> luser's msad account from the msad group.
>
> >    the passwd command may also be trying to update the password
> >    on AD rather local.
> >
> >    We can work around the problem by running the GUI system-config-users
> >    - this works fine to create new users or set the local password.
> >    So I wonder if pam settings for the system-config-users
> >    GUI are somehow giving us local target for the user creation
> commands.
> >    Running strings on the useradd command I don't find any pam
> reference.
> >    There is no pam.d entry for the useradd command as a file named
> useradd.
> >
> >    Our intentions are to use AD to authenticate only, not to allow users
> to
> >    manage
> >    their password or anything about their AD account from the Linux
> host.
> >
> >    Can anyone give a hint about what we should adjust to point useradd
> >    and passwd commands to local mechanisms?
> --
> Jon Detert
> IT Systems Administrator, Milwaukee School of Engineering
> 1025 N. Broadway, Milwaukee, Wisconsin 53202, U.S.A.
> --
> "Most of the trouble in the world is caused by people wanting to be
> important."
> ~ T.S. Eliot
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080109/f1d04d2e/attachment.htm>

More information about the Pam-list mailing list