Mailinglist Archive: opensuse (878 mails)

< Previous Next >
[opensuse] Locked out by PAM
We have a client where only students in group year11 should be able to

I keep getting locked out with this:
account required user ingroup year11

getent group year11 lists members correctly.

I've tried this:

But it fails. I think because we're using sssd and I don't know the
correct order. The position in the stack seems to matter. Here is ours:

account requisite try_first_pass
account sufficient
account required use_first_pass

auth required
auth optional
auth sufficient try_first_pass
auth required use_first_pass

session required
session required try_first_pass
session optional
session optional
session optional
session optional auto_start
session optional

If I try and authenticate, I do not even get a password prompt:

2013-09-01T11:22:14.438159+02:00 hh16 su: pam_xauth(su:session): error
creating temporary file `/home/users/lynn2/.xauthXPkISk': No such file
or directory

This leads me to believe that it must come after the line
since I can see that sssd has (correctly) identified me as it knows my
home directory.

I have to remove the line I'm testing in a second root shell, whereupon
I can login normally:

2013-09-01T11:43:34.642148+02:00 hh16 su: pam_unix(su:auth):
authentication failure; logname=lynn uid=1000 euid=0 tty=pts/2
ruser=lynn rhost= user=lynn2
2013-09-01T11:43:35.371140+02:00 hh16 su: pam_sss(su:auth):
authentication success; logname=lynn uid=1000 euid=0 tty=pts/2
ruser=lynn rhost= user=lynn2
2013-09-01T11:43:35.373290+02:00 hh16 su: (to lynn2) lynn on /dev/pts/2
2013-09-01T11:43:35.431413+02:00 hh16 su: pam_unix(su:session): session
opened for user lynn2 by lynn(uid=1000)

It's the same if I try logging in on another tty rather than su.

Is there a pam-config way of adding this?
L x

To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >
This Thread
Follow Ups