[SASAG] PAM question about pam.conf file

Robin Battey zanfur at zanfur.com
Fri May 23 12:08:19 PDT 2008 

I believe changing the "pam_unix_auth.so.1" line to "sufficient" will achieve what you're looking for.

In general, pam goes down the list, and stops with a failure when either a required line fails or stops with a success when a sufficient line succeeds or it passes the end of the list. 

Cheers!
-robin

Sent via BlackBerry by AT&T

-----Original Message-----
From: Ross Wong <rosswon at yahoo.com>

Date: Fri, 23 May 2008 11:57:19 
To:"W.H. Jamison, Jr." <whjamisonjr at mac.com>,       "members at lists.seattle-sage.org" <members at lists.seattle-sage.org>
Subject: Re: [SASAG] PAM question about pam.conf file


Have you check /etc/passwd with addtional "+" at the end of file ?

----- Original Message ----
From: "W.H. Jamison, Jr." <whjamisonjr at mac.com>
To: "members at lists.seattle-sage.org" <members at lists.seattle-sage.org>
Sent: Friday, May 23, 2008 11:23:55 AM
Subject: [SASAG] PAM question about pam.conf file

I'm installing the Centeris Likewise identity product on my *NIX systems so I can authenticate them against our AD domain. This is to make things easier for me, easier for my users who work with both *NIX systems and Windows and to satisfy audit requirements (if Bob leaves the company we disabling Bob's AD login also disables any *NIX logins he might have).

The product works pretty well with a few exceptions, one of the annoying ones is that my log files are filled with spurious messages such as this:

May 23 10:33:34 kira su: [ID 737573 auth.error] pam_lwidentity(su): User 'root' is not known.
May 23 10:33:34 kira su: [ID 737573 auth.error] pam_lwidentity(su): User 'root' is not known.
May 23 11:00:00 kira cron[9769]: [ID 860675 user.error] pam_lwidentity(cron): User 'root' is not known.
May 23 11:00:00 kira cron[9769]: [ID 860675 user.error] pam_lwidentity(cron): User 'root' is not known.
May 23 11:00:00 kira cron[9769]: [ID 860675 user.error] pam_lwidentity(cron): User 'root' is not known.

I think that the reason I'm seeing these is because I'm not using Likewise to manage the system accounts, only user accounts, so PAM runs through its stack and authenticates root with another module but then fails when it gets to the pam_lwidentity module because there is no user 'root' defined in the AD domain. I could "fix" this by adding a pseudo "root" user to the AD domain, but what I'd rather do is configure my pam.conf file so that if a login, or su is successful with local authorization that the pam_lwidentity module is never checked. From reading the man pages on PAM it seems that the key to doing this lies in how the stack is ordered for that service and what the control flag for the service is. Currently my /etc/pam.conf has this entry for the login service stack.

# login service (explicit because of pam_dial_auth)
#
login  auth requisite        pam_authtok_get.so.1
login  auth required          pam_dhkeys.so.1
login  auth required          pam_unix_cred.so.1
login  auth required          pam_unix_auth.so.1
login  auth required          pam_dial_auth.so.1
login  auth sufficient        pam_lwidentity.so.1            try_first_pass

So it seems to me that I want to change the service order and the control flag for these services, but how do I change this to achieve the behavior I want, which is that if a login service is successful it returns immediately and doesn't bother processing the rest of the stack without screwing up PAM and bricking my system? 


Thanks,

Jamie Jamison
_______________________________________________
Members mailing list
Members at lists.sasag.org
http://lists.sasag.org/mailman/listinfo/members



      
_______________________________________________
Members mailing list
Members at lists.sasag.org
http://lists.sasag.org/mailman/listinfo/members

More information about the Members mailing list