thr3ads.net - freebsd security - I have no name prompt and no passwords recognized [Nov 2016]

If this information is useful, please help other people find it:
Share via:

Ronny Forberger

2016-Nov-13 16:05 UTC

I have no name prompt and no passwords recognized

> Ronny Forberger <ronnyforberger at ronnyforberger.de> hat am 13.
November 2016 um
> 11:29 geschrieben:
> 
>  Hi,
> 
>  > Alan Hicks via freebsd-security <freebsd-security at
freebsd.org> hat am 13.
>  > November 2016 um 10:37 geschrieben:
>  >
>  >
>  >
>  > On 12/11/2016 17:07, Ronny Forberger wrote:
>  > > Hi,
>  > > I am using SSSD and FreeBSD to authenticate against samba4.
>  > > I used this howto setting all up:
>  > >
http://serverfault.com/questions/599200/how-to-integrate-active-directory-with-freebsd-10-0-using-security-sssd
>  > >
>  > > But when I want to logon using password, i.e. via dovecot I get
wrong
>  > > password.
>  > > Neigher can I use sudo typing the correct samba4 password.
>  > >
>  > > Also I get a prompt [I have no name!@HOSTNAME] and my files,
which I
>  > > chowned &
>  > > chgrped to the samba user and group only show IDs as owner.
>  > This means the system does not know who you are. What authentication
>  > system are you using? For example using net/nss-pam-ldap here gives
the
>  > same error when ldap goes away or upgrading ports. Restarting the
>  > authentication service restores access here.
>   
>  I am using sssd but restarting sssd didn't help. Any other ideas?
> 
I found out, that /var/run/sss needed mode 0755.

But I still can't use passwords.

My /etc/pam.d/system looks like:

# auth
auth sufficient pam_opie.so no_warn no_fake_prompts
auth requisite pam_opieaccess.so no_warn allow_local
#auth sufficient pam_krb5.so no_warn try_first_pass
#auth sufficient pam_ssh.so no_warn try_first_pass
auth sufficient /usr/local/lib/pam_sss.so
auth required pam_unix.so no_warn try_first_pass nullok

# account
#account required pam_krb5.so
account required pam_login_access.so
account required pam_unix.so
account required /usr/local/lib/pam_sss.so ignore_unknown_user

# session
#session optional pam_ssh.so want_agent
session required pam_lastlog.so no_fail
session optional /usr/local/lib/pam_sss.so

# password
#password sufficient pam_krb5.so no_warn try_first_pass
password sufficient /usr/local/lib/pam_sss.so use_authtok
password required pam_unix.so no_warn try_first_pass

 

What am I doing wrong?

Best regards,

Ronny
>  >
>  > >
>  > > Any ideas how to solve this? Can this maybe be a permission
problem with
>  > > some
>  > > file for sssd / NSS which an unprivileged user cannot read?
>  > >
>  > > Best regards,
>  > > Ronny Forberger
>  > > ___________________________________
>  > > Ronny Forberger
>  > > ronnyforberger at ronnyforberger.de
>  > > PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
>  > > _______________________________________________
>  > > freebsd-security at freebsd.org mailing list
>  > > https://lists.freebsd.org/mailman/listinfo/freebsd-security
>  > > To unsubscribe, send any mail to
>  > > "freebsd-security-unsubscribe at freebsd.org"
>  > >
>  >
>  > Regards,
>  > Alan
>  > _______________________________________________
>  > freebsd-security at freebsd.org mailing list
>  > https://lists.freebsd.org/mailman/listinfo/freebsd-security
>  > To unsubscribe, send any mail to "freebsd-security-unsubscribe
at freebsd.org"
>  >
>  Best regards,
>  Ronny
>  ___________________________________
>  Ronny Forberger
>  ronnyforberger at ronnyforberger.de
>  PGP: http://www.ronnyforberger.de/pgp/email-encryption.html
> 
 
___________________________________
Ronny Forberger
ronnyforberger at ronnyforberger.de
PGP: http://www.ronnyforberger.de/pgp/email-encryption.html

Dag-Erling Smørgrav

2016-Nov-14 09:26 UTC

head link

I have no name prompt and no passwords recognized

Ronny Forberger <ronnyforberger at ronnyforberger.de>
writes:> # auth
> auth sufficient pam_opie.so no_warn no_fake_prompts
> auth requisite pam_opieaccess.so no_warn allow_local
> #auth sufficient pam_krb5.so no_warn try_first_pass
> #auth sufficient pam_ssh.so no_warn try_first_pass
> auth sufficient /usr/local/lib/pam_sss.so
> auth required pam_unix.so no_warn try_first_pass nullok
I don't have the answer to your question, but I'd like to point out that
you don't need to include the full path to the module.  PAM will look in
/usr/local/lib if it can't find the module in /usr/lib.  You can even
leave out the .so suffix (since OpenPAM Nummularia / FreeBSD 9.3)

Two other things: 1) make sure the service you're trying to use actually
uses the system policy or a policy that includes it (sshd doesn't) and
2) if you add the "debug" keyword to every pam_sss line in your PAM
policy, OpenPAM will log every call to the pam_sss module, everything it
does on behalf of that module, and the outcome of the call through
syslog (by default, it should go to /var/log/debug.log).

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

freebsd security - Nov 2016 - I have no name prompt and no passwords recognized

I have no name prompt and no passwords recognized

I have no name prompt and no passwords recognized