similar to: Using PAM_USER for user mappings

<<pam_user.patch>> Hello. I created a patch that causes sshd to take notice of the value of PAM_USER after calling into the pam_xxx functions. This makes it possible for a PAM module to effect user mappings by setting the value of PAM_USER with pam_set_item(). If anyone has comments or suggestions, let me know. Thanks, Jeremy -------------- next part -------------- A non-text

In 1.2.1 there's: passdb-pam.c:230 status = pam_get_item(pamh, PAM_USER, &item); passdb-pam.c:237 auth_request_set_field(request, "user", item, NULL); so "item" is PAM_USER, which is then checked by auth_request_set_field: 1022 if (strcmp(request->user, value) != 0) { 1023 auth_request_log_debug(request,

I've implemented a patch to openssh which allows the PAM auth layer to detect if the PAM stack has changed the user name and then adjusts its internal data structures accordingly. (imagine a PAM stack that uses individual credentials to authenticate, but assigns the user to a role account). First, is the openssh community interested in this patch? Second, if there is interest in the patch,

Hi, I'm trying to change the PAM_USER within a pam module, and observed that dovecot 0.99 does not support this. I then looked at 1.x and found: src/auth/passdb-pam.c:232: /* FIXME: this doesn't actually work since we're in the child process.. */ status = pam_get_item(pamh, PAM_USER, (linux_const void **)&item); if (status !=

>> >Could we please have a clarification on the semantics of >> >PAM_CRED_ESTABLISH vs. the semantics of PAM_REINITIALIZE_CREDS? >> >> My interpretation is: >> >> You call PAM_ESTABLISH_CRED to create them >> You call PAM_REINITIALIZE_CRED to update creds that can expire over time, >> for example a kerberos ticket. Oops. I meant

>Neither the Sun PAM documentation nor the Linux-PAM documentation >describe the semantics of PAM_REINITIALIZE_CREDS in any useful detail. I would agree it is vague, but then that is also a problem with the XSSO document (http://www.opengroup.org/onlinepubs/008329799/) >Could we please have a clarification on the semantics of >PAM_CRED_ESTABLISH vs. the semantics of

As many of you know, OpenSSH 3.7.X, unlike previous versions, makes PAM authentication take place in a separate process or thread (launched from sshpam_init_ctx() in auth-pam.c). By default (if you don't define USE_POSIX_THREADS) the code "fork"s a separate process. Or if you define USE_POSIX_THREADS it will create a new thread (a second one, in addition to the primary thread). The

The following patch (relative to -current) makes PAM a proper kbd-interactive citizen. There are a few limitations (grep for todo), but the code seems to work OK for protocols 1 & 2 with and without privsep. Please have a play! auth2-pam.c is based on code from FreeBSD. Index: auth2-chall.c =================================================================== RCS file:

> -----Original Message----- > From: samba [mailto:samba-bounces at lists.samba.org] On Behalf Of L.P.H. van > Belle via samba > Sent: 24 July 2018 09:41 > To: samba at lists.samba.org > Subject: Re: [Samba] Failed to establish your Kerberos Ticket cache due time > differences with the domain controller > > I did re-read the whole thread again. > > Im running out

rhbz#719837 Signed-off-by: Joey Boggs <jboggs at redhat.com> --- scripts/ovirt-config-installer.py | 50 +++++++++++++++++-------------------- scripts/ovirt-config-setup.py | 1 - 2 files changed, 23 insertions(+), 28 deletions(-) diff --git a/scripts/ovirt-config-installer.py b/scripts/ovirt-config-installer.py index 637c64c..7c66676 100644 ---

Dear list members, I am running a small active directory domain for my home network. Everything is working as expected, except for the authentication of active directory users on my machines running debian wheezy. Here is my setup: 1) Active Directory Domain Controller is running on a raspberrypi (raspbian) with samba compiled from source (v4-1-stable from git repository) 2) WIndows 7 machines

http://bugzilla.mindrot.org/show_bug.cgi?id=278 Darren.Moffat at Sun.COM changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |WONTFIX ------- Additional Comments From Darren.Moffat at Sun.COM

Hi, I am having problems using pam_winbind to log in as a user in a trusted domain. The arrangement is that Samba is joined to a local domain DOMLOCAL which has a trust setup with DOMREMOTE. getent passwd/group correctly enumerates users and groups from DOMLOCAL. If I try getent passwd for the DOMREMOTE account no result is returned. pam_winbind has a requirement that the user is a member of

Hi, I'm currently trying the 3.2 version of winbindd (pam + nss + winbindd). I would like to loging with the userPrincipalName on ? Win 2k3 but I can't. Winbindd retrun NT_STATUS_INVALID_PARAMETER_MIX (PAM: 4) Any idea winbindd --version output : Version 3.2.0pre2-GIT--e 85eec1d-test My smb.conf file : [global] security = ads realm =

On 7/28/2020 4:11 PM, Jason Keltz wrote: > > On 7/28/2020 3:59 PM, Jason Keltz via samba wrote: >> I'm experimenting with smb + winbind. >> >> My host is joined to AD and I can login to my host fine using my AD >> credentials via SSH.?? The only issue is that I don't get a Kerberos >> ticket generated. >> >> In

Hi I try to use windbind rule to authenticate users in dovecot login procedure. /etc/nsswitch.conf file: passwd: files winbind shadow: files winbind group: files winbind when I try logon from my console to dovecot (pop3 server): # telnet komp14 110 Trying 10.10.10.38... Connected to komp.xxx.xxx (10.10.10.38). Escape character is '^]'. +OK Dovecot ready. user tt1 +OK pass xxxxxxxxx -ERR

http://bugzilla.mindrot.org/show_bug.cgi?id=1215 Summary: sshd requires entry from getpwnam for PAM accounts Product: Portable OpenSSH Version: 4.3p2 Platform: Other OS/Version: All Status: NEW Severity: enhancement Priority: P2 Component: PAM support AssignedTo: bitbucket at mindrot.org

Hi Team, We have a weird issue that we are trying to understand. We have winbind set up and working successfully for user authentication with passwords via ssh. We have pam.d/system-auth-ac and password-auth-ac (symlinked) set to require membership of a group which works great via password authentication. However, if the user has a ssh key set up, they seem to bypass the group membership

Hi, I am using PAM authentication on 3.8p1. In my PAM auth module I can turn on debug logging that includes a timestamp in the form "mm/dd/yy hh:mm:ss". Life is good. I want to upgrade from 3.8p1 so I can use PAM for PasswordAuthentication in addition to keyboard-interactive. I have compiled both 4.1p1 and 4.3p2 and the PAM authentication for both methods works fine in both

On Tue, 1 Feb 2005, it was written: > Nicolas Lopez wrote: > > maildir and most of my accounts in LDAP. Since the accounts are created > > through a web interface on another server home directories on the mail > > server don't get created automatically. There's the handy pam module > > pam_mkhomedir.so to automagically create home directories, but >