Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

PAM setup with sudo not working
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
jlongs2
n00b
n00b


Joined: 12 Jul 2005
Posts: 15
PostPosted: Thu Jan 26, 2006 2:08 am    Post subject: PAM setup with sudo not working Reply with quote
I have PAM with LDAP set up on my server, with 60 or so users. Users can log in against LDAP, (except root) without a shadow file (/etc/shadow moved to /etc/shadow.old). But sudo won't authenticate against it, so myself and the other admin can't use sudo without our entries in /etc/shadow.

/etc/pam.d/sudo:
Code:

auth    include     system-auth
account include     system-auth
password    include     system-auth
session include     system-auth


/etc/pam.d/system-auth:
Code:

auth       required pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       sufficient   pam_ldap.so use_first_pass
auth       required pam_deny.so

account    sufficient   pam_unix.so
account    sufficient   pam_ldap.so

password   required pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   sufficient   pam_ldap.so use_authtok
password   required pam_deny.so

session    required pam_limits.so
session    required pam_unix.so
session    optional pam_ldap.so
session    required pam_mkhomedir.so skel=/etc/skel/ umask=0


What's up with that?
_________________
---
ACM @ UIC
http://acm.cs.uic.edu -- running on gentoo
Back to top
View user's profile Send private message
hermanng
Apprentice
Apprentice


Joined: 28 Jan 2004
Posts: 175
Location: Nussberg,Germany,Earth
PostPosted: Thu Jan 26, 2006 2:43 pm    Post subject: Reply with quote
Hmm, I'm not quite sure why you have moved /etc/shadow. I use the usual

passwd: files ldap
shadow: files ldap
group: files ldap

in /etc/nsswitch.conf so both /etc/passwd, /etc/shadow and ldap are used. Also I use a slightly different /etc/pam.d/system-auth with

account required pam_unix.so
account sufficient pam_localuser.so
account required pam_ldap.so

and I use /etc/passwd resp. /etc/shadow for the "real local users" only, i.e. no entries for the ldap users in there.
_________________
Hermann
Back to top
View user's profile Send private message
jlongs2
n00b
n00b


Joined: 12 Jul 2005
Posts: 15
PostPosted: Thu Jan 26, 2006 5:27 pm    Post subject: Reply with quote
hermanng wrote:
Hmm, I'm not quite sure why you have moved /etc/shadow. I use the usual


'Cos if /etc/shadow has my entry in it, sudo works, by authenticating against /etc/shadow -- and it shouldn't be doing that.

hermanng wrote:
and I use /etc/passwd resp. /etc/shadow for the "real local users" only, i.e. no entries for the ldap users in there.


I suppose I can just keep the two admins in /etc/shadow and everyone else in LDAP, but I want sudo to authenticate against LDAP. Thing is, it should be... it's using the same system-auth as every other service, and those all work fine.
_________________
---
ACM @ UIC
http://acm.cs.uic.edu -- running on gentoo
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2025 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy