Dag-Erling Smørgrav
2016-Nov-14 09:26 UTC
I have no name prompt and no passwords recognized
Ronny Forberger <ronnyforberger at ronnyforberger.de> writes:> # auth > auth sufficient pam_opie.so no_warn no_fake_prompts > auth requisite pam_opieaccess.so no_warn allow_local > #auth sufficient pam_krb5.so no_warn try_first_pass > #auth sufficient pam_ssh.so no_warn try_first_pass > auth sufficient /usr/local/lib/pam_sss.so > auth required pam_unix.so no_warn try_first_pass nullokI don't have the answer to your question, but I'd like to point out that you don't need to include the full path to the module. PAM will look in /usr/local/lib if it can't find the module in /usr/lib. You can even leave out the .so suffix (since OpenPAM Nummularia / FreeBSD 9.3) Two other things: 1) make sure the service you're trying to use actually uses the system policy or a policy that includes it (sshd doesn't) and 2) if you add the "debug" keyword to every pam_sss line in your PAM policy, OpenPAM will log every call to the pam_sss module, everything it does on behalf of that module, and the outcome of the call through syslog (by default, it should go to /var/log/debug.log). DES -- Dag-Erling Sm?rgrav - des at des.no
> Dag-Erling Sm?rgrav <des at des.no> hat am 14. November 2016 um 10:26 > geschrieben: > > > Ronny Forberger <ronnyforberger at ronnyforberger.de> writes: > > # auth > > auth sufficient pam_opie.so no_warn no_fake_prompts > > auth requisite pam_opieaccess.so no_warn allow_local > > #auth sufficient pam_krb5.so no_warn try_first_pass > > #auth sufficient pam_ssh.so no_warn try_first_pass > > auth sufficient /usr/local/lib/pam_sss.so > > auth required pam_unix.so no_warn try_first_pass nullok > > I don't have the answer to your question, but I'd like to point out that > you don't need to include the full path to the module. PAM will look in > /usr/local/lib if it can't find the module in /usr/lib. You can even > leave out the .so suffix (since OpenPAM Nummularia / FreeBSD 9.3)ok> > Two other things: 1) make sure the service you're trying to use actually > uses the system policy or a policy that includes it (sshd doesn't) andI am using sudo with password and it should use the system policy.> 2) if you add the "debug" keyword to every pam_sss line in your PAM > policy, OpenPAM will log every call to the pam_sss module, everything it > does on behalf of that module, and the outcome of the call through > syslog (by default, it should go to /var/log/debug.log).My /var/log/debug.log only says: Nov 13 17:31:59 macy sudo: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_authenticate(): authentication error Nov 13 17:32:01 macy su: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_sss.so Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_SERVICE Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_USER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_TTY Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RUSER Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_RHOST Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_AUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_get_item(): entering: PAM_OLDAUTHTOK Nov 13 17:32:01 macy su: in pam_get_item(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in pam_set_data(): entering: 'pam_sss:fd_destructor' Nov 13 17:32:01 macy su: in pam_set_data(): returning PAM_SUCCESS Nov 13 17:32:01 macy su: in openpam_dispatch(): /usr/local/lib/pam_sss.so: pam_sm_setcred(): success What can be wrong? Best regards, Ronny> > DES > -- > Dag-Erling Sm?rgrav - des at des.no > _______________________________________________ > freebsd-security at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"___________________________________ Ronny Forberger ronnyforberger at ronnyforberger.de PGP: http://www.ronnyforberger.de/pgp/email-encryption.html