Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Etienne, after being able to 'su' to a ldap user I copied the pam.d directory to my home (I compare the corresponding files lower down). Then I installed krb5-user and libpam-krb5 (and had it [auth-client-config?] overwrite the PAM config). I tried to 'su' to user 'sudoldapuser' but I am prompted for a password (when I shouldn't since I have a TGT). Here is auth.log when I enter a garbage password:
- su[19127]: nss_ldap: reconnected to LDAP server ldap://10.153.107.90 after 1 attempt
- su[19127]: pam_krb5(su:auth): authentication failure; logname=sudoldapuser uid=1000 euid=0 tty=/dev/pts/1 ruser=ubuntu rhost=
- su[19127]: pam_unix(su:auth): authentication failure; logname=ubuntu uid=1000 euid=0 tty=/dev/pts/1 ruser=ubuntu rhost= user=sudoldapuser
- su[19127]: pam_authenticate: Authentication failure
- su[19127]: FAILED su for sudoldapuser by ubuntu
- su[19127]: - /dev/pts/1 ubuntu:sudoldapuser
- ubuntu@ldapclient:/etc$ getent passwd sudoldapuser
- sudoldapuser:x:1006:10003:Sudo Matulis:/home/sudoldapuser:/bin/bash
- ubuntu@ldapclient:/etc$ klist
- Ticket cache: FILE:/tmp/krb5cc_1000
- Default principal: sudoldapuser@EXAMPLE.COM
- Valid starting Expires Service principal
- 04/01/11 12:02:03 04/01/11 22:02:03 krbtgt/EXAMPLE.COM@EXAMPLE.COM
- renew until 04/02/11 12:02:00
- ubuntu@ldapclient:/etc$ grep -v ^# ~/pam.d/common-session
- session [default=1] pam_permit.so
- session requisite pam_deny.so
- session required pam_permit.so
- session required pam_unix.so
- session required pam_mkhomedir.so
- session optional pam_ldap.so
- ubuntu@ldapclient:/etc$ grep -v ^# pam.d/common-session
- session [default=1] pam_permit.so
- session requisite pam_deny.so
- session required pam_permit.so
- session optional pam_krb5.so minimum_uid=1000
- session required pam_unix.so
- session optional pam_ldap.so
- ubuntu@ldapclient:/etc$ grep -v ^# ~/pam.d/common-auth
- auth [success=2 default=ignore] pam_unix.so nullok_secure
- auth [success=1 default=ignore] pam_ldap.so use_first_pass
- auth requisite pam_deny.so
- auth required pam_permit.so
- ubuntu@ldapclient:/etc$ grep -v ^# pam.d/common-auth
- auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000
- auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass
- auth [success=1 default=ignore] pam_ldap.so use_first_pass
- auth requisite pam_deny.so
- auth required pam_permit.so
- ubuntu@ldapclient:/etc$ grep -v ^# ~/pam.d/common-account
- account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
- account [success=1 default=ignore] pam_ldap.so
- account requisite pam_deny.so
- account required pam_permit.so
- ubuntu@ldapclient:/etc$ grep -v ^# pam.d/common-account
- account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
- account [success=1 default=ignore] pam_ldap.so
- account requisite pam_deny.so
- account required pam_permit.so
- account required pam_krb5.so minimum_uid=1000
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement