[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need some help with this authentication problem

Tony Earnshaw wrote:
man, 2003-01-20 kl. 20:38 skrev charld:

If i 1) login as root and then
2) do a "su - ldaptestuser" this works!
i dont need the ldaptestuser password when i su from root.
and everything works fine but i cant change or do anything with the

This wouuld only confirm what I said about the files in /etc/pam.d. I
don't know how RH organizes things, I've always used source on my RH 7.2

I use /etc/pam.d files from redhat with no problems !

They are generated by the authconfig command which set them (actually system-auth file) to use ldap If you chosse ldap authentification. All services point to the central module stack file represented by system-auth


$ cat /etc/pam.d/login
auth       required	/lib/security/pam_securetty.so
auth       required	/lib/security/pam_stack.so service=system-auth
auth       required	/lib/security/pam_nologin.so
account    required	/lib/security/pam_stack.so service=system-auth
password   required	/lib/security/pam_stack.so service=system-auth
session    required	/lib/security/pam_stack.so service=system-auth
session    optional	/lib/security/pam_console.so

$ cat /etc/pam.d/system-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth sufficient /lib/security/pam_ldap.so use_first_pass
#auth [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so use_first_pass
#auth required /lib/security/pam_unix.so likeauth nullok use_first_pass
auth required /lib/security/pam_deny.so

account required /lib/security/pam_unix.so
#account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/pam_ldap.so
account sufficient /lib/security/pam_localuser.so
account [default=bad success=ok service_err=ignore system_err=ignore] /lib/security/pam_ldap.so

password required /lib/security/pam_cracklib.so retry=3 type=
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/pam_ldap.so use_authtok
password required /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so

Anyway, it doesn't prevent you from changing system-auth, as I did above for "account pam_localuser" (pb for local logins when ldap server was down) and "account user_unknown=ignore pam_ldap" (pb with /etc/ldap.conf personnal filter not used!)

1) login as myself (i am not in ldap)
2) su - ldaptestuser
and i get prompted for the password, i get a password incorrect.

I tried the authconfig command on the client and that didnt help.
I must be missing something real simple but it escapes me. I cut and
past the password from /etc/shadow into the account profile.

You can't just cut 'n paste. Get GQ 0.7 beta and compile and use it,
jump from www.biot.com, and you'll see why. You have to specify how the
password was encrypted ({crypt}, {sha1} etc.