Mailinglist Archive: opensuse (878 mails)

< Previous Next >
[opensuse] Locked out by PAM
Hi
We have a client where only students in group year11 should be able to
login.

I keep getting locked out with this:
account required pam_succeed_if.so user ingroup year11

getent group year11 lists members correctly.

I've tried this:
http://serverfault.com/questions/483643/linux-pam-pam-succeed-if-so

But it fails. I think because we're using sssd and I don't know the
correct order. The position in the stack seems to matter. Here is ours:

account requisite pam_unix.so try_first_pass
account sufficient pam_localuser.so
account required pam_sss.so use_first_pass

auth required pam_env.so
auth optional pam_gnome_keyring.so
auth sufficient pam_unix.so try_first_pass
auth required pam_sss.so use_first_pass


session required pam_limits.so
session required pam_unix.so try_first_pass
session optional pam_sss.so
session optional pam_umask.so
session optional pam_systemd.so
session optional pam_gnome_keyring.so auto_start
only_if=gdm,gdm-password,lxdm,lightdm
session optional pam_env.so

If I try and authenticate, I do not even get a password prompt:

2013-09-01T11:22:14.438159+02:00 hh16 su: pam_xauth(su:session): error
creating temporary file `/home/users/lynn2/.xauthXPkISk': No such file
or directory

This leads me to believe that it must come after the pam_sss.so line
since I can see that sssd has (correctly) identified me as it knows my
home directory.

I have to remove the line I'm testing in a second root shell, whereupon
I can login normally:

2013-09-01T11:43:34.642148+02:00 hh16 su: pam_unix(su:auth):
authentication failure; logname=lynn uid=1000 euid=0 tty=pts/2
ruser=lynn rhost= user=lynn2
2013-09-01T11:43:35.371140+02:00 hh16 su: pam_sss(su:auth):
authentication success; logname=lynn uid=1000 euid=0 tty=pts/2
ruser=lynn rhost= user=lynn2
2013-09-01T11:43:35.373290+02:00 hh16 su: (to lynn2) lynn on /dev/pts/2
2013-09-01T11:43:35.431413+02:00 hh16 su: pam_unix(su:session): session
opened for user lynn2 by lynn(uid=1000)

It's the same if I try logging in on another tty rather than su.

Is there a pam-config way of adding this?
Anyone?
Thanks
L x


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups