Problem with user root

Joe Lewis joe at joe-lewis.com
Fri May 21 15:34:49 UTC 2004 

I did a quick search on google using "pam_ldap down root access", and the
first link provided the following information :

[...snip...]
  account     [ authinfo_unavail=ignore ignore=ignore success=ok
default=bad ]\
                            /lib/security/pam_ldap.so ignore_unknown_user
[...snip...]

  authinfo_unavail=ignore: if the LDAP server dies, pam_ldap will
    return the error code 'authinfo_unavail.'  If this code is not
    ignored, then even root won't be able to log in.

In YOUR configuration, you had service_err=ignore, and system_err=ignore,
but no authinfo_unavail=ignore.  Put this in and see if things work
better.  Perhaps this is what you are experiencing?

Joe

> Hi,
>
> I've added in the /etc/pam.d/system-auth the next line
>
> auth sufficient /lib/security/pam_rootok.so
>
> but the user root can't login in the system yet.
>
> In the logs, I get the next error messages:
>
> login: pam_ldap: ldap_simple_bind Can't contact LDAP server
> login: Authentication service cannot retrieve authentication info
>
> I've probed with pam_localuser.so too, but I get the same error.
>
>
>
>>From: "Tay, Gary" <Gary_Tay at platts.com>
>>Reply-To: Pluggable Authentication Modules <pam-list at redhat.com>
>>To: "Pluggable Authentication Modules" <pam-list at redhat.com>
>>Subject: RE: Problem with user root
>>Date: Fri, 21 May 2004 17:00:46 +0800
>>
>>Hi,
>>
>>Just guessing, u may want to add "rootok" somewhere...
>>
>>See /usr/share/doc/pam-0.75/txts/README.pam_rootok, and all text files
>>in the txts dir.
>>
>>Rgds
>>Gary
>>
>># $Id: README,v 1.1.1.1 2000/06/20 22:11:56 agmorgan Exp $
>>#
>>
>>this module is an authentication module that performs one task: if the
>>id of the user is '0' then it returns 'PAM_SUCCESS' with the
>>'sufficient' /etc/pam.conf control flag it can be used to allow
>>password free access to some service for 'root'
>>
>>Recognized arguments:
>>
>>         debug           write a message to syslog indicating success or
>>                         failure.
>>
>>module services provided:
>>
>>         auth            _authentication and _setcred (blank)
>>
>>Andrew Morgan
>>
>>
>>-----Original Message-----
>>From: pam-list-bounces at redhat.com [mailto:pam-list-bounces at redhat.com]
>>On Behalf Of Javier Ferruz Rodriguez
>>Sent: Friday, May 21, 2004 4:23 PM
>>To: pam-list at redhat.com
>>Subject: Problem with user root
>>
>>
>>Hi,
>>
>>I've configured my RHEL 2.1 AS for authentication users in LDAP. My LDAP
>>
>>server is SunOne Directory 5.2
>>
>>My /etc/nsswitch.conf file is
>>
>>password files ldap
>>group files ldap
>>shadow files ldap
>>
>>My /etc/pam.d/login
>>
>>auth       required /lib/security/pam_securetty.so
>>auth       required /lib/security/pam_stack.so service=system-auth
>>auth       required /lib/security/pam_nologin.so
>>account    required /lib/security/pam_stack.so service=system-auth
>>password   required /lib/security/pam_stack.so service=system-auth
>>session    required /lib/security/pam_stack.so service=system-auth
>>session    required /lib/security/pam_mkhomedir.so skel=/etc/skel
>>umask=0022
>>session    optional /lib/security/pam_console.so
>>
>>
>>My /etc/pam.d/system-auth is
>>
>>auth        required      /lib/security/pam_env.so
>>auth        sufficient    /lib/security/pam_unix.so likeauth nullok
>>auth        sufficient    /lib/security/pam_ldap.so use_first_pass
>>auth        required      /lib/security/pam_deny.so
>>account     required      /lib/security/pam_unix.so
>>account     [default=bad success=ok user_unknown=ignore
>>service_err=ignore
>>system_err=ignore] /lib/security/pam_ldap.so
>>password    required      /lib/security/pam_cracklib.so retry=3 type=
>>password    sufficient    /lib/security/pam_unix.so nullok use_authtok
>>md5
>>shadow
>>password    sufficient    /lib/security/pam_ldap.so use_authtok
>>password    required      /lib/security/pam_deny.so
>>session     required      /lib/security/pam_limits.so
>>session     required      /lib/security/pam_unix.so
>>session     optional      /lib/security/pam_ldap.so
>>
>>The configuration is OK when the LDAP server is running. All users are
>>validated in the LDAP server except root.
>>
>>When the LDAP server is down, root can't validate in the system. Why?
>>
>>Can anybody help me?
>>
>>Thanks in advance,
>>
>>_________________________________________________________________
>>Add photos to your e-mail with MSN 8. Get 2 months FREE*.
>>http://join.msn.com/?page=features/featuredemail
>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-list at redhat.com https://www.redhat.com/mailman/listinfo/pam-list
>>
>>
>>_______________________________________________
>>Pam-list mailing list
>>Pam-list at redhat.com
>>https://www.redhat.com/mailman/listinfo/pam-list
>
> _________________________________________________________________
> Add photos to your e-mail with MSN 8. Get 2 months FREE*.
> http://join.msn.com/?page=features/featuredemail
>
>
> _______________________________________________
> Pam-list mailing list
> Pam-list at redhat.com
> https://www.redhat.com/mailman/listinfo/pam-list
>


Joe Lewis

More information about the Pam-list mailing list