Kyle Tucker
2006-Oct-26 16:27 UTC
[Fedora-directory-users] Use of NetGroups breaks local logins
Hi all, New installation of FDS 1.0.2 on FC5. I have gotten netgroup access to host logins set up and working by following the steps in this document. http://directory.fedora.redhat.com/wiki/Howto:Netgroups This required the addition of this new (second) line in the account section of /etc/pam.d/system-auth for the access.netgroup.conf file to avoid issues with crond, which they don''t elaborate on. account required pam_unix.so broken_shadow debug account required pam_access.so accessfile=/etc/security/access.netgroup.conf account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug account required pam_permit.so But now I am seeing these failures in /var/log/secure. Oct 25 18:01:01 lin2600 crond[22707]: pam_access(crond:account): access denied for user `root'' from `cron'' I also cannot log in as root. So firstly, is all the advice in the above document accurate? Is the placement of this line incorrect (I am just starting to play with PAM) or do I need to add entries for root (or ALL) in /etc/security/access.conf (presently all commented out as it appears to be the default setup)? Thanks. -- - Kyle --------------------------------------------- kylet@panix.com http://www.panix.com/~kylet ---------------------------------------------
Subhendu Ghosh
2006-Oct-26 16:38 UTC
Re: [Fedora-directory-users] Use of NetGroups breaks local logins
On Thu, 2006-10-26 at 12:27 -0400, Kyle Tucker wrote:> Hi all, > New installation of FDS 1.0.2 on FC5. I have gotten netgroup access > to host logins set up and working by following the steps in this document. > > http://directory.fedora.redhat.com/wiki/Howto:Netgroups > > This required the addition of this new (second) line in the account section > of /etc/pam.d/system-auth for the access.netgroup.conf file to avoid issues > with crond, which they don''t elaborate on. > > account required pam_unix.so broken_shadow debug > account required pam_access.so accessfile=/etc/security/access.netgroup.conf > account sufficient pam_succeed_if.so uid < 500 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so debug > account required pam_permit.so > > But now I am seeing these failures in /var/log/secure. > > Oct 25 18:01:01 lin2600 crond[22707]: pam_access(crond:account): access denied > for user `root'' from `cron'' > > I also cannot log in as root. > > So firstly, is all the advice in the above document accurate? Is the placement > of this line incorrect (I am just starting to play with PAM) or do I need to > add entries for root (or ALL) in /etc/security/access.conf (presently all > commented out as it appears to be the default setup)? > > Thanks.Hi Kyle I came across this issue (those are my notes ;) /etc/pamd./crond should contain auth sufficient pam_rootok.so Try adding an account line as well /etc/pam.d/crond account sufficient pam_rootok.so -sg
Kyle Tucker
2006-Oct-26 16:41 UTC
Re: [Fedora-directory-users] Use of NetGroups breaks local logins
> I came across this issue (those are my notes ;) > > /etc/pamd./crond should contain > auth sufficient pam_rootok.so > > Try adding an account line as well > > /etc/pam.d/crond > account sufficient pam_rootok.soBut this won''t affect my inability to log in as root. Both direct sshd logins and ''su -'' fails, the latter with "incorrect password". I know the password for this system definitely. -- - Kyle --------------------------------------------- kylet@panix.com http://www.panix.com/~kylet ---------------------------------------------
Subhendu Ghosh
2006-Oct-26 17:40 UTC
Re: [Fedora-directory-users] Use of NetGroups breaks local logins
On Thu, 2006-10-26 at 12:41 -0400, Kyle Tucker wrote:> > I came across this issue (those are my notes ;) > > > > /etc/pamd./crond should contain > > auth sufficient pam_rootok.so > > > > Try adding an account line as well > > > > /etc/pam.d/crond > > account sufficient pam_rootok.so > > But this won''t affect my inability to log in as root. Both direct sshd > logins and ''su -'' fails, the latter with "incorrect password". I know > the password for this system definitely. >Add to access.netgroup.conf: +:root: this will clear up the root access issue. However - netgroup users will not be able to run cron jobs unless they are added to /etc/security/access.conf -- -sg
Kyle Tucker
2006-Oct-26 17:41 UTC
Re: [Fedora-directory-users] Use of NetGroups breaks local logins
> Add to access.netgroup.conf: > > +:root: > > this will clear up the root access issue. > > However - netgroup users will not be able to run cron jobs unless they > are added to /etc/security/access.confOkay, I will try this. Thank you very much. -- - Kyle --------------------------------------------- kylet@panix.com http://www.panix.com/~kylet ---------------------------------------------
Kyle Tucker
2006-Oct-26 22:47 UTC
Re: [Fedora-directory-users] Use of NetGroups breaks local logins
> On Thu, 2006-10-26 at 12:41 -0400, Kyle Tucker wrote: > > > I came across this issue (those are my notes ;) > > > > > > /etc/pamd./crond should contain > > > auth sufficient pam_rootok.soThis line was there.> > > Try adding an account line as well > > > /etc/pam.d/crond > > > account sufficient pam_rootok.soI added this one.> > Add to access.netgroup.conf: > +:root: > this will clear up the root access issue.So root can indeed log in now. But this doesn''t seem righ that I should have to add any local user that needs access to this file. I also get this error now in /var/log/secure. Oct 26 18:01:01 lin2600 crond[28799]: PAM unable to resolve symbol: pam_sm_acct_mgmt I will play will the PAM directives and see if I can get things better. Thanks. -- - Kyle --------------------------------------------- kylet@panix.com http://www.panix.com/~kylet ---------------------------------------------