Pam issue, Winbind - sudo combination
Well, i'll repost my question, because my first mail wasn't clear (i was in a hurry while writing it ). Have a Suse 9.2 Pro box authenticating against an NT Domain, i could join the domain, the users login, the homes get created automagically, all seems perfect, BUT, i'm having a little problem with sudo, any time an nt-domain-user runs it, sudo prompts for password (as it should), but it never accepts it!!. The original /etc/pam.d/sudo file looked like this: ------------------------------------------------------- #%PAM-1.0 auth required pam_unix2.so ------------------------------------------------------- Didn't find a Suse specific solution, tried a debian based one (the only one i've found), but it doesn't work, it looks like this: ------------------------------------------------------- #%PAM-1.0 auth sufficient pam_winbind.so auth required pam_unix2.so use_first_pass ------------------------------------------------------ Thanks in advanced. Ciro
Hello, Am Samstag, 15. Januar 2005 11:13 schrieb Ciro Iriarte:
BUT, i'm having a little problem with sudo, any time an nt-domain-user runs it, sudo prompts for password (as it should), but it never accepts it!!.
Have a look at you sudo configuration ("visudo"). Is the targetpw option set? If yes, the _root_ password is expected. Regards, Christian Boltz -- No trees were killed in the sending of this message. However a large number of electrons were terribly inconvenienced.
Thanks a lot, that solved the problem, just copied some parts of my old config and didn't check the rest!! On Sat, 15 Jan 2005 22:20:55 +0100, Christian Boltz <suse-security@cboltz.de> wrote:
Hello,
Am Samstag, 15. Januar 2005 11:13 schrieb Ciro Iriarte:
BUT, i'm having a little problem with sudo, any time an nt-domain-user runs it, sudo prompts for password (as it should), but it never accepts it!!.
Have a look at you sudo configuration ("visudo"). Is the targetpw option set? If yes, the _root_ password is expected.
Regards,
Christian Boltz -- No trees were killed in the sending of this message. However a large number of electrons were terribly inconvenienced.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Am Dienstag, 18. Januar 2005 04:47 schrieb Ciro Iriarte:
Thanks a lot, that solved the problem, just copied some parts of my old config and didn't check the rest!!
Could you please post (or send me, if you don't like to publish them ;-) ) the relevant pam.d files? I try the same with ADS, but I didn' get shell login with autocreation of Homedirs to work flawlessly (main error was: User not known to the underlying authentification module) Thanks!
On Sat, 15 Jan 2005 22:20:55 +0100, Christian Boltz
<suse-security@cboltz.de> wrote:
Hello,
Am Samstag, 15. Januar 2005 11:13 schrieb Ciro Iriarte:
BUT, i'm having a little problem with sudo, any time an nt-domain-user runs it, sudo prompts for password (as it should), but it never accepts it!!.
Have a look at you sudo configuration ("visudo"). Is the targetpw option set? If yes, the _root_ password is expected.
Regards,
Christian Boltz -- No trees were killed in the sending of this message. However a large number of electrons were terribly inconvenienced.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
Not sure if with AD you should use pam_ldap or pam_winbind, but here is my config (you should join the domain before) /etc/nsswitch.conf (just the relevant lines) passwd: compat winbind group: compat winbind /etc/pam.d/sshd #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so session required pam_unix2.so none # trace or debug session required pam_limits.so /etc/pam.d/login #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mkhomedir.so session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_resmgr.so /etc/security/pam_unix2.conf auth: call_modules=winbind account: call_modules=winbind password: session: none Hope it helps you On Fri, 4 Feb 2005 20:15:51 +0100, Markus Feilner <lists@feilner-it.net> wrote:
Am Dienstag, 18. Januar 2005 04:47 schrieb Ciro Iriarte:
Thanks a lot, that solved the problem, just copied some parts of my old config and didn't check the rest!!
Could you please post (or send me, if you don't like to publish them ;-) ) the relevant pam.d files? I try the same with ADS, but I didn' get shell login with autocreation of Homedirs to work flawlessly (main error was: User not known to the underlying authentification module) Thanks!
On Sat, 15 Jan 2005 22:20:55 +0100, Christian Boltz
<suse-security@cboltz.de> wrote:
Hello,
Am Samstag, 15. Januar 2005 11:13 schrieb Ciro Iriarte:
BUT, i'm having a little problem with sudo, any time an nt-domain-user runs it, sudo prompts for password (as it should), but it never accepts it!!.
Have a look at you sudo configuration ("visudo"). Is the targetpw option set? If yes, the _root_ password is expected.
Regards,
Christian Boltz -- No trees were killed in the sending of this message. However a large number of electrons were terribly inconvenienced.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
Thanks a lot, I'll try that ! Markus Am Montag, 7. Februar 2005 04:56 schrieb Ciro Iriarte:
Not sure if with AD you should use pam_ldap or pam_winbind, but here is my config (you should join the domain before)
/etc/nsswitch.conf (just the relevant lines) passwd: compat winbind group: compat winbind
/etc/pam.d/sshd #%PAM-1.0 auth required pam_unix2.so # set_secrpc auth required pam_nologin.so auth required pam_env.so account required pam_unix2.so account required pam_nologin.so password required pam_pwcheck.so password required pam_unix2.so use_first_pass use_authtok session optional pam_mkhomedir.so session required pam_unix2.so none # trace or debug session required pam_limits.so
/etc/pam.d/login #%PAM-1.0 auth requisite pam_unix2.so nullok #set_secrpc auth required pam_securetty.so auth required pam_nologin.so auth required pam_env.so auth required pam_mail.so account required pam_unix2.so password required pam_pwcheck.so nullok password required pam_unix2.so nullok use_first_pass use_authtok session optional pam_mkhomedir.so session required pam_unix2.so none # debug or trace session required pam_limits.so session required pam_resmgr.so
/etc/security/pam_unix2.conf auth: call_modules=winbind account: call_modules=winbind password: session: none
Hope it helps you
On Fri, 4 Feb 2005 20:15:51 +0100, Markus Feilner <lists@feilner-it.net> wrote:
Am Dienstag, 18. Januar 2005 04:47 schrieb Ciro Iriarte:
Thanks a lot, that solved the problem, just copied some parts of my old config and didn't check the rest!!
Could you please post (or send me, if you don't like to publish them ;-) ) the relevant pam.d files? I try the same with ADS, but I didn' get shell login with autocreation of Homedirs to work flawlessly (main error was: User not known to the underlying authentification module) Thanks!
On Sat, 15 Jan 2005 22:20:55 +0100, Christian Boltz
<suse-security@cboltz.de> wrote:
Hello,
Am Samstag, 15. Januar 2005 11:13 schrieb Ciro Iriarte:
BUT, i'm having a little problem with sudo, any time an nt-domain-user runs it, sudo prompts for password (as it should), but it never accepts it!!.
Have a look at you sudo configuration ("visudo"). Is the targetpw option set? If yes, the _root_ password is expected.
Regards,
Christian Boltz -- No trees were killed in the sending of this message. However a large number of electrons were terribly inconvenienced.
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
-- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
-- Mit freundlichen Grüßen Markus Feilner --------------------------- Bitte beachten Sie unsere neuen Adressdaten! Vielen Dank. --------------------------- Feilner IT Linux & GIS Linux Solutions, Training, Seminare und Workshops - auch Inhouse Beraiterweg 4 93047 Regensburg fon +49 941 9465243 fax +49 941 9465244 mobil + +49 170 3027092 mail mfeilner@feilner-it.net web http://www.feilner-it.net
participants (3)
-
Christian Boltz -
Ciro Iriarte -
Markus Feilner