[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: cannot use shutdown (and others) with pam_ldap

On Thu, Mar 16, 2000 at 05:03:16PM -0300, Andreas Hasenack wrote:
> I'm currently using openldap-1.2.9 together with the latest nss_ldap and pam_ldap
> and I am successfully authenticating my users. I changed a lot in the /etc/pam.d
> files and think I've got it right. Almost every program which uses PAM works.
> I can use su, sudo, xdm, gdm, kdm, ftp, pop3 and many others.
> But the ones that use userhelper/consolehelper don't seem to work.
> Only users in the /etc/passwd file can use them. With others, nothing happens:
> [andreas@pandora andreas]$ shutdown
> [andreas@pandora andreas]$ 
> User "andreas" is only present in the ldap directory. If I do the same with an user which
> is in the /etc/passwd file, the command works.
> An strace results in (last lines):
> ioctl(0, TCGETS, {B38400 opost isig icanon echo ...}) = 0
> execve("/usr/sbin/userhelper", ["/usr/sbin/userhelper", "-t", "-w", "shutdown"], [/* 28 vars */]) = -1 EPERM (Operation not permitted)
> _exit(1)                                = ?

That's a red herring.  Unless you're root, the EPERM is enforced by the
kernel to prevent tracing of setuid binaries.

The culprit here is probably usermode.  I know for certain that the
version we put in RHL 6.0 had this problem (which stemmed from a problem
with pwdb), but I believe it was fixed in 6.1.

> My /etc/pam.d/shutdown:
> #%PAM-1.0
> auth       sufficient	/lib/security/pam_rootok.so
> auth       required	/lib/security/pam_console.so
> auth       sufficient	/lib/security/pam_pwdb.so
> auth       required	/lib/security/pam_ldap.so use_first_pass
> account    required	/lib/security/pam_permit.so

Change all instances of pam_pwdb in your files to pam_unix.  The pam_pwdb
module uses pwdb instead of nsswitch for its back-end when lookup up user
information, and pwdb doesn't understand things like LDAP or hesiod.

I've just tested this with the packaged versions from Raw Hide
(ftp://ftp.redhat.com/pub/rawhide/i386/RedHat/RPMS/), and it appears to
work correctly.