[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: calling pam_sm_open_session



Kelli Wolfe wrote:
> 
> Hi all,
> 
> I'm back to debugging my telnet not working with LDAP problem.
> We're using RedHat 6.2, OpenLDAP 1.2.10, pam_ldap-70, nss_ldap-113.
> 
> When I attempt to telnet from machine bb to aa, /var/log/messages
> on the client machine (aa) looks like telnet is working, the
> session is opened and the messages look the same as if I was
> logging in at the console.  Except the exit status 1 happens
> immediately and I get "Connection closed by foreign host."
> 
> Looking into the code for pam_pwdb, the function opening the
> connection (pam_sm_open_session) has to be returning success.
> So, I'm looking for what initially calls pam_sm_open_session.
> Is it called directly from inetd?  I'm trying to understand
> how PAM gets integrated into the OS.

This all PAM stuff called from /bin/login that is lanched by telnetd.

The whole thing looks like there is some bug in login/pam/modules.
I'd suggest you running strace on inetd (with -f) and attempt
to login via telnet as you did already, and looking to strace
output.  For this, you can (in server machine, bb):

 # ps -C inetd
  <this will show pid of inetd process, it was 432 in your logs>
 # strace -o trc -p PID_OF_INETD -f
  <at this point, connect from aa as usual, and after that hit Ctrl-C
here>
 # <now you have a rather big file called "trc">

The 'trc' file will be large...  But it may show the trouble.
(Note that it can also contain passwords, so be careful with that).
If you will be unable to interpret it yourself, post it here
(compressed),
or directly to me (also compressed).  But again, be careful with
passwords that can be in that file (you can change 'em in that file
before sending).

> 
> I can login with an LDAP account or a system account at the console.
> I cannot telnet with either account.
> 
> /aa//var/log/messages
> Sep 22 14:00:47 aa login: exiting pam_sm_acct_mgmt 0
> Sep 22 14:00:47 aa PAM_pwdb[9139]: (login) session opened for user josie by
> (uid=0)
> Sep 22 14:00:47 aa inetd[472]: pid 9138: exit status 1
> 
> /aa//etc/pam.d/login looks like this:
> #%PAM-1.0
> auth       required     /lib/security/pam_securetty.so
> auth       required     /lib/security/pam_nologin.so
> auth       sufficient   /lib/security/pam_ldap.so
> auth       required     /lib/security/pam_pwdb.so shadow use_first_pass
> account    sufficient   /lib/security/pam_ldap.so
> account    required     /lib/security/pam_pwdb.so
> password   required     /lib/security/pam_cracklib.so
> password   sufficient   /lib/security/pam_ldap.so use_authtok md5
> password   required     /lib/security/pam_pwdb.so shadow md5 use_authtok
> use_first_pass
> session    required     /lib/security/pam_pwdb.so
> session    required     /lib/security/pam_limits.so
> 

Regards,
 Michael.





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []