Subject: Re: trouble configuring pam using pam_ldap and pam_mount - msg#00032

Previous Message by Date: click to view message preview

Re: trouble configuring pam using pam_ldap and pam_mount

Some hours off trial and error later I still don't have it working... but I can't understand why. The configurations I tried should (as seen from my logic) work, but they don't. A few examples of configurations I tried are listed below (by the way, I use Ubuntu 7.04 'Feisty Fawn' clients, I didn't mention it before, but I thought it might be important): ## common-account (I changed this a bit according to an article I found, written by Martin Schwenke): account requisite pam_unix.so account sufficient pam_localuser.so account required pam_ldap.so ## common-auth: # first authenticate for pam_mount, this is the only way (as far as I know) to # prefent multiple password requests (as it seems 'use_first_pass' doesn't # work for pam_mount.so) auth required pam_mount.so auth sufficient pam_ldap.so use_first_pass auth required pam_unix.so nulluk_secure use_first_pass Next are the different versions of 'common-session' I tried. ## common-session [VERSION 1]: session optional pam_foreground.so session requisite pam_unix.so # the following line jumps over the mounting # but off course... it does for all users... (as expected) session [default=1] pam_localuser.so session required pam_mount.so session required pam_ldap.so ## common-session [VERSION 2]: session optional pam_foreground.so session requisite pam_unix.so # the following line doens't seem to have any effect # mounting is executed for local users and users in the ldap server # I would have expected pam would terminate after this line # when a local user logs on (because of the 'sufficient' control value) session sufficient pam_localuser.so session required pam_mount.so session required pam_ldap.so ## common-session [VERSION 3]: session optional pam_foreground.so session requisite pam_unix.so # the following line gives 'su: Module is unknown' after # the request for the password session [user_unknown=ignore default=done] pam_localuser.so session required pam_mount.so session required pam_ldap.so ## common-session [VERSION 4]: session optional pam_foreground.so session requisite pam_unix.so # the following line doesn't mount anything, not for # local users and not for ldap users # (in either case 'ok' or 'ignore') session [user_unknown=ok/ignore default=2] pam_localuser.so session required pam_mount.so session required pam_ldap.so ## common-session [VERSION 5]: session optional pam_foreground.so # the following line does also mounting for local users # (I also found this in the article by Martin Schwenke and adapted it a bit) session [success=ok new_authtok_reqd=ok ignore=2 \ authinfo_unavail=ignore user_unknown=ignore default=bad] pam_ldap.so \ ignore_unknown_user session required pam_mount.so session required pam_ldap.so session requisite pam_unix.so So still no success. As I said before, loging on works for local users and for users in the LDAP. Mounting also works for the users in the LDAP, but I would like to prefent the execution of the pam_mount for local users (because these users don't need mounting and if there is an user in the LDAP with the same username/password combo, his/her homedir is mounted on top of the local homedir. I would like to make sure local users are more important). Some other details that might be important: for testing the configurations I use 'su' (its the fastest way), but quite a few times I also tried login in with gdm (Gnome). There seems to be no difference, and in my view that seems logical, because I only edit the /etc/pam.d/common-* files (I don't edit any of the other files in that directory). Is there anybody who could explain why the listed examples don't work? And what about my approach? Jose Plans already suggested using 'autofs', but it seems to me that using pam_mount would be a cleaner approach. Anyone any ideas on this? Is my approach perhaps outdated? Greetings, Heiko Heiko Harders wrote: Hi, I'm trying to configure PAM for my needs all day now, but I can't get it right. I have an LDAP server which contains the user login information for my users. This server also serves the home directory's using NFS. On my clients I use pam_ldap to authenticate and I use pam_mount to mount the home directorys whenever a users logs on. This works fine. The problem is, whenever a local user on the client logs on, pam_mount trys to mount a home directory from the server. In my pam configuration I would like to specify that pam_mount shouldn't be executed whenever a local user logs on. But I can't figure out how. I use the default files in my '/etc/pam.d/' directory and I've modified the 'common-*' files in the following way: common-account: account sufficient pam_ldap.so account required pam_unix.so common-auth: auth required pam_mount.so auth sufficient pam_ldap.so use_first_pass auth sufficient pam_unix.so nullok_secure use_first_pass common-password: password sufficient pam_ldap.so password required pam_unix.so nullok obscure min=4 max=8 md5 common-session: session optional pam_foreground.so ## I think I should add something overhere session required pam_mount.so session sufficient pam_ldap.so session required pam_unix.so I've tried to add a line in the common-session file, something like this: session [user_unknown=2 default=ignore] pam_ldap.so Hoping this would skip the next 2 lines if the user wasn't found on the ldap server. But this doens't seem to work. The following line did work, but doens't do what I want: session [default=2] pam_ldap.so In this case ALL users skip the next two lines. Has anyone a clue what I'm doing wrong? Is there something wrong in my syntax? Or is the complexe approach wrong? Greetings, Heiko _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list

Previous Message by Thread: click to view message preview

Re: trouble configuring pam using pam_ldap and pam_mount

Wilhelm Meier wrote: please show us the logs (add the debug option to every module First the exact configuration I used, I added 'debug' to every line: /etc/pam.d/common-account: account required pam_unix.so debug account sufficient pam_localuser.so debug account required pam_ldap.so debug /etc/pam.d/common-auth: auth required pam_mount.so debug auth sufficient pam_ldap.so use_first_pass debug auth required pam_unix.so nullok_secure use_first_pass debug /etc/pam.d/common-password: password sufficient pam_ldap.so debug password required pam_unix.so nullok obscure min=4 max=8 md5 debug /etc/pam.d/common-session: session optional pam_foreground.so debug session [default=2 success=ignore] pam_succeed_if.so debug uid > 2000 session required pam_mount.so debug session sufficient pam_ldap.so debug session required pam_unix.so debug /etc/pam.d/common-pammount: <empty> Next, the logs (I'm not sure this is everything, it is everything I could find in '/var/log/' but if there is another location I should look, please tell me): logged in as 'root' doing 'su heiko' (local user with uid 1000) and after that directly 'exit': /var/log/auth.log: Jul 30 17:21:26 njord su[5758]: PAM unable to resolve symbol: pam_sm_open_session Jul 30 17:21:26 njord su[5758]: PAM unable to resolve symbol: pam_sm_close_session Jul 30 17:21:26 njord su[5758]: PAM unable to resolve symbol: pam_sm_open_session Jul 30 17:21:26 njord su[5758]: PAM unable to resolve symbol: pam_sm_close_session Jul 30 17:21:28 njord pam_localuser[5758]: checking "root:x:0:0:root:/root:/bin/bash " <snip>pam_localuser checking all lines in /etc/passwd</snip> Jul 30 17:21:29 njord pam_localuser[5758]: checking "heiko:x:1000:1000:Heiko Harders,,,:/home/heiko:/bin/bash " Jul 30 17:21:29 njord su[5758]: Successful su for heiko by root Jul 30 17:21:29 njord su[5758]: + pts/0 root:heiko Jul 30 17:21:29 njord su[5758]: (pam_unix) session opened for user heiko by (uid=0) Jul 30 17:21:31 njord su[5758]: (pam_unix) session closed for user heiko logged in as 'root' doing 'su tdummy' (LDAP user width uid 2002) and after that directly 'exit': /var/log/auth.log: Jul 30 17:30:30 njord su[6192]: PAM unable to resolve symbol: pam_sm_open_session Jul 30 17:30:30 njord su[6192]: PAM unable to resolve symbol: pam_sm_close_session Jul 30 17:30:30 njord su[6192]: PAM unable to resolve symbol: pam_sm_open_session Jul 30 17:30:30 njord su[6192]: PAM unable to resolve symbol: pam_sm_close_session Jul 30 17:30:32 njord pam_localuser[6192]: checking "root:x:0:0:root:/root:/bin/bash " <snip>pam_localuser checking all lines in /etc/passwd</snip> Jul 30 17:30:32 njord pam_localuser[6192]: checking "heiko:x:1000:1000:Heiko Harders,,,:/home/heiko:/bin/bash " Jul 30 17:30:32 njord pam_localuser[6192]: checking "statd:x:110:65534::/var/lib/nfs:/bin/false " Jul 30 17:30:32 njord su[6192]: Successful su for tdummy by root Jul 30 17:30:32 njord su[6192]: + pts/0 root:tdummy Jul 30 17:30:32 njord su[6192]: (pam_unix) session opened for user tdummy by (uid=0) Jul 30 17:32:20 njord su[6192]: (pam_unix) session closed for user tdummy logged in as 'heiko' (local user, uid 1000) with graphical login (gdm, gnome): /var/log/auth.log: Jul 30 17:37:23 njord pam_localuser[4994]: checking "root:x:0:0:root:/root:/bin/bash " <snip>pam_localuser checking all lines in /etc/passwd</snip> Jul 30 17:37:23 njord pam_localuser[4994]: checking "heiko:x:1000:1000:Heiko Harders,,,:/home/heiko:/bin/bash " Jul 30 17:37:23 njord gdm[4994]: (pam_unix) session opened for user heiko by (uid=0) logged in as 'tdummy' (LDAP user, uid 2002) with graphical login (gdm, gnome): /var/log/auth.log: Jul 30 17:37:05 njord pam_localuser[4994]: checking "root:x:0:0:root:/root:/bin/bash " <snip>pam_localuser checking all lines in /etc/passwd</snip> Jul 30 17:37:05 njord pam_localuser[4994]: checking "heiko:x:1000:1000:Heiko Harders,,,:/home/heiko:/bin/bash " Jul 30 17:37:05 njord pam_localuser[4994]: checking "statd:x:110:65534::/var/lib/nfs:/bin/false " Jul 30 17:37:05 njord gdm[4994]: (pam_unix) session opened for user tdummy by (uid=0)

Next Message by Thread: click to view message preview

Re: trouble configuring pam using pam_ldap and pam_mount