pam/winbind user not found problem
RB
aoz.syn at gmail.com
Thu Jul 16 18:34:06 UTC 2009
On Thu, Jul 16, 2009 at 11:58, Les Mikesell<les at futuresource.com> wrote:
> This isn't strictly a PAM issue, but rather with the default RHEL5.x
> configuration (and Centos, and probably fedora). Does anyone know what they
> were thinking?
Ostensibly, they were trying to authenticate system users without
passing said users' credentials on to winbind. Whether intentional or
not, it seems they assumed users would have a UID that could be
resolved by pam_unix. That's often the case, but with proper
enterprise-level user management (no local accounts) the assumption
breaks.
> Should most pam auth modules know anything about uid's?
By all means - auth is probably the most important place for UIDs/GIDs
to be known.
> I thought that was account info. If the idea is to keep the 'system' accounts
> (below 500 by convention)in the passwd file, is there a better way to do it?
Probably should have used something to this effect instead of 'requisite':
[success=ok new_authtok_reqd=ok ignore=ignore default=die user_unknown=ignore]
Which is, of course, according to pam.conf(5) the same as 'requisite'
with the added control of ignoring unknown users. Allows the stack to
shortcut if it's a system user with bad credentials but still passes
completely unresolved credentials on.
More information about the Pam-list
mailing list