The account in /etc/passwd.. Prashanth Sundaram wrote:> > Yes, it works when there is a matching local user account.do you mean an account in /etc/passwd? or an account in LDAP?> ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
Prashanth Sundaram wrote:> The account in /etc/passwd..Seems like a pam problem and/or misconfiguration then - if it finds the entry using pam_krb5, it should never look at /etc/passwd.> > ------------------------------------------------------------------------ > Prashanth Sundaram wrote: > > > Yes, it works when there is a matching local user account. > > do you mean an account in /etc/passwd? or an account in LDAP? > > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users redhat com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > >
Here is my /etc/pam.d/ldapserver auth sufficient /lib/security/pam_krb5.so use_first_pass forwardable password sufficient /lib/security/pam_krb5.so use_authtok session optional /lib/security/pam_krb5.so account sufficient /lib/security/pam_krb5.so ~ ~ To revisit, here''s the observation: pamsecure when set to TRUE authenticates users only to the password in 389-ds, but when set to FALSE will authenticate to the AD password only if the uid exists in /etc/passwd. On 9/22/09 10:36 AM, "Rich Megginson" <rmeggins@redhat.com> wrote:> Prashanth Sundaram wrote: >> The account in /etc/passwd.. > Seems like a pam problem and/or misconfiguration then - if it finds the > entry using pam_krb5, it should never look at /etc/passwd. >> >> ------------------------------------------------------------------------ >> Prashanth Sundaram wrote: >> >> >> Yes, it works when there is a matching local user account. >> >> do you mean an account in /etc/passwd? or an account in LDAP? >> >> ------------------------------------------------------------------------ >> >> -- >> 389 users mailing list >> 389-users redhat com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >> >> >> >
Hi, You should not verify the users locally (there is a "no_user_check" to add). The authoritative source of validation should be AD/Kerberos. Here is the config that works for us : auth sufficient /lib/security/pam_krb5.so no_user_check account required /lib/security/pam_krb5.so no_user_check 2009/9/22 Prashanth Sundaram <psundaram@wgen.net>:> Here is my /etc/pam.d/ldapserver > > auth sufficient /lib/security/pam_krb5.so use_first_pass > forwardable > > password sufficient /lib/security/pam_krb5.so use_authtok > > session optional /lib/security/pam_krb5.so > > account sufficient /lib/security/pam_krb5.so > ~ > ~ > > > To revisit, here''s the observation: pamsecure when set to TRUE authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. > > > On 9/22/09 10:36 AM, "Rich Megginson" <rmeggins@redhat.com> wrote: > >> Prashanth Sundaram wrote: >>> The account in /etc/passwd.. >> Seems like a pam problem and/or misconfiguration then - if it finds the >> entry using pam_krb5, it should never look at /etc/passwd. >>> >>> ------------------------------------------------------------------------ >>> Prashanth Sundaram wrote: >>> >>> >>> Yes, it works when there is a matching local user account. >>> >>> do you mean an account in /etc/passwd? or an account in LDAP?
Prashanth Sundaram wrote:> Here is my /etc/pam.d/ldapserver > > auth sufficient /lib/security/pam_krb5.so use_first_pass > forwardable > > password sufficient /lib/security/pam_krb5.so use_authtok > > session optional /lib/security/pam_krb5.so > > account sufficient /lib/security/pam_krb5.so > ~ > ~ > > > To revisit, here''s the observation: pamsecure when set to TRUE authenticates > users only to the password in 389-ds, but when set to FALSE will > authenticate to the AD password only if the uid exists in /etc/passwd. >That''s really bizarre - the only place where pamSecure is used is here: if (cfg->pamptconfig_secure) { /* is a secure connection required? */ int is_ssl = 0; slapi_pblock_get(pb, SLAPI_CONN_IS_SSL_SESSION, &is_ssl); if (!is_ssl) { slapi_log_error( SLAPI_LOG_PLUGIN, PAM_PASSTHRU_PLUGIN_SUBSYSTEM, "<= connection not secure (secure connection required; check config)"); return retcode; } } That is, if pamSecure is true, requests will be rejected unless using TLS/SSL. Do you have your directory server configured to use TLS/SSL when using pamSecure: TRUE?> > On 9/22/09 10:36 AM, "Rich Megginson" <rmeggins@redhat.com> wrote: > > >> Prashanth Sundaram wrote: >> >>> The account in /etc/passwd.. >>> >> Seems like a pam problem and/or misconfiguration then - if it finds the >> entry using pam_krb5, it should never look at /etc/passwd. >> >>> ------------------------------------------------------------------------ >>> Prashanth Sundaram wrote: >>> >>> >>> Yes, it works when there is a matching local user account. >>> >>> do you mean an account in /etc/passwd? or an account in LDAP? >>> >>> ------------------------------------------------------------------------ >>> >>> -- >>> 389 users mailing list >>> 389-users redhat com >>> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>> >>> >>> >>> > >