[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: cannot use shutdown (and others) with pam_ldap
On Thu, Mar 16, 2000 at 05:03:16PM -0300, Andreas Hasenack wrote:
> I'm currently using openldap-1.2.9 together with the latest nss_ldap and pam_ldap
> and I am successfully authenticating my users. I changed a lot in the /etc/pam.d
> files and think I've got it right. Almost every program which uses PAM works.
> I can use su, sudo, xdm, gdm, kdm, ftp, pop3 and many others.
> But the ones that use userhelper/consolehelper don't seem to work.
> Only users in the /etc/passwd file can use them. With others, nothing happens:
>
> [andreas@pandora andreas]$ shutdown
> [andreas@pandora andreas]$
>
> User "andreas" is only present in the ldap directory. If I do the same with an user which
> is in the /etc/passwd file, the command works.
> An strace results in (last lines):
>
> ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
> execve("/usr/sbin/userhelper", ["/usr/sbin/userhelper", "-t", "-w", "shutdown"], [/* 28 vars */]) = -1 EPERM (Operation not permitted)
> _exit(1) = ?
That's a red herring. Unless you're root, the EPERM is enforced by the
kernel to prevent tracing of setuid binaries.
The culprit here is probably usermode. I know for certain that the
version we put in RHL 6.0 had this problem (which stemmed from a problem
with pwdb), but I believe it was fixed in 6.1.
> My /etc/pam.d/shutdown:
>
> #%PAM-1.0
> auth sufficient /lib/security/pam_rootok.so
> auth required /lib/security/pam_console.so
> auth sufficient /lib/security/pam_pwdb.so
> auth required /lib/security/pam_ldap.so use_first_pass
> account required /lib/security/pam_permit.so
Change all instances of pam_pwdb in your files to pam_unix. The pam_pwdb
module uses pwdb instead of nsswitch for its back-end when lookup up user
information, and pwdb doesn't understand things like LDAP or hesiod.
I've just tested this with the packaged versions from Raw Hide
(ftp://ftp.redhat.com/pub/rawhide/i386/RedHat/RPMS/), and it appears to
work correctly.
Cheers,
Nalin