RE: Thank you to Rick Stevens - Authentication Login Errors

["Greg Ennis" <PoMec PoMec Net>]

Dear Rick,

Just wanted to let you know I figured out what had happened to my RH 8.0
system, well at least I tried something and the problem appeared to resolve.
I really don't know why or what! My RH 8.0 system seems to be working OK
now.  The problem appeared to be resident in the  /etc/pam.d/system.auth
file.  The way I stumbled on the solution was as follows:

I knew the problem occurred sometime around 22 or 23 hours on the night of
the 12th of June because of the authentication errors you had me look up in
the '/var/log/messages' file.  You had advised me to try to reinstall the
original PAM RPM's from Disc #1 of RH 8.0.  After doing that the problem
authentication errors with logon's did not resolve.  You had me download and
run ckrootkit in single user mode to find that there was no rootkit on the
system.

After logging on under single user mode I decided to poke around the
/etc/pam.d directory to see if any files had been modified around the time
the system became unstable and found two files system-auth with a date of
6/12 and time of 22:32 and system-auth.org with a date of 2-17 and a time of
21:37.  The files were different with some ldap entries in the more recent
file.

I saved system-auth under a new name and copied the *.org file to name of
system-auth.  When I rebooted my problems were solved and I could log on to
all appropriate accounts.


The contents of the system-auth file that caused the problems is as follows:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_ldap.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/pam_ldap.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/pam_ldap.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_ldap.so
~

----------------------------------------------------------------------------
--------
Teh contents of the system.auth.org file that actually caused the system to
work was:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5
shadow
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so

----------------------------------------------------------------------------
---------

I do not remember doing anything with ldap.  I have wondered about ldap, but
do not recall setting anything up to use it or modify it.

I have a couple of questions:

1. How do I update the most recent RPM's of PAM to replace the 'forced'
installation of the original PAM modules you instructed me to do?  I tried
to download the most recent PAM modules for RH 8.0 from Redhat, but when I
tried to install them I received notice that they are already installed.  I
presume I should do another 'forced' install, but wanted to make sure before
I did anything.

2. What really is ldap? Do I need these entries in the system-auth file.
How do you think all of this may have happened?

Rick, thanks again for all of your help off-line and on this list in order
to get this problem resolved.

Greg Ennis