Re: trouble using pam_authz_search

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Terence Kent <tkent [at] xetus.com>
To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: trouble using pam_authz_search
Date: Sat, 4 Jun 2011 15:31:32 -0700

Arthur,

First, thank you very much for the quick reply. It's quite a statement that 
you've answered this post within 24 hours - and even on a weekend.

I was able to reproduce the segment fault using gdb without any issue. In case 
there is some useful information in the difference in output when having the 
additional debugging packages installed and not, I captured the same test case 
with and without the debugging packages.

No debugging packages, just gdb:

        http://pastie.org/2020075

libc6-dbg, libldap-2.4-2-dbg, libgcrypt11-dbg, and libgnutls26-dbg packages 
installed:

        http://pastie.org/2020077

I used the same configuration from my first post, with the second example of 
the /etc/pam.d/common-account:

account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_unix.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000

For it's worth, I think the issue is that I need a newer version of libc6. The 
trouble is, upgrading libc6 on ubuntu 10.04 to an unsupported version seems 
like just the sort of thing that will leave my systems unusable.

Terence

On Jun 4, 2011, at 2:13 PM, Arthur de Jong wrote:

> On Fri, 2011-06-03 at 19:28 -0700, Terence Kent wrote:
>> First off, sorry for the long post!
> 
> No problem. It's good that most information is present.
> 
>> I'm trying to use the pam_authz_search example for host based
>> authentication without success. I believe my issue is with my pam
>> configuration, but I've been unable to find a solution. If I use a
>> simple /etc/pam.d/common-account config of:
>> 
>> account    [success=done new_authtok_reqd=done default=ignore]   pam_unix.so
>> account    sufficient   pam_ldap.so minimum_uid=1000
>> account    required     pam_deny.so
>> 
>> I can sign in with all ldap users, and the pam_authz_search string is
>> ignored.
> 
> The problem with the above stack is that if pam_unix finds shadow
> information and says that it is OK, pam_ldap is skipped. To work in this
> stack /etc/nsswitch.conf shouldn't let ldap provide shadow information.
> From the log below it doesn't seem that shadow information is found in
> LDAP though so there could be something else wrong.
> 
> You could add the debug option to both pam_unix and pam_ldap and get
> more information from syslog.
> 
>> I saw from a previous mailing list post by Guilluame, that this is
>> expected behavior. However, if I use either of the suggested
>> configurations in Arthur in the same thread, nslcd simply segment
>> faults during the authentication process.
>> 
>> Below is the output from an authentication attempt using the
>> following /etc/pam.d/common-account config:
>> 
>> account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
>> authinfo_unavail=ignore default=bad]        pam_unix.so
>> account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore 
>> authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000
>> 
>> nslcd -d output:
> [...]
>> nslcd: [495cff] DEBUG: nslcd_pam_authz("tkent","cn=Terence 
>> Kent,ou=people,dc=xetus,dc=com","sshd","","172.16.1.17","ssh")
>> Segmentation fault
> 
> The handshake seems reasonable but the segmentation fault is a bug
> somewhere. Can you provide a backtrace using gdb [1]? Depending on where
> the bug is, it may be interesting to have the libldap*-dbg,
> libgcrypt*-dbg, libgnutls*-dbg and libc6-dbg packages installed.
> 
> A backtrace can be generated with:
>  % gdb nslcd -d
>  (gdb) r
>  [try yo cause the segmentation fault]
>  (gdb) thread apply all bt full
>  [hit enter a couple of times]
> 
>> pam_authz_search 
>> (&(objectClass=posixAccount)(uid=$username)(|(host=$hostname)(host=$fqdn)))
> 
> Note that the $fqdn expansion was only introduced in 0.8.1 so isn't
> available yet in 0.7.13. In any case, I would really like to know the
> source of the segmentation fault.
> 
> -- 
> -- arthur - arthur@arthurdejong.org - http://arthurdejong.org --
> -- 
> To unsubscribe send an email to
> nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
> http://lists.arthurdejong.org/nss-pam-ldapd-users

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

trouble using pam_authz_search, Terence Kent
- Re: trouble using pam_authz_search, Arthur de Jong
  - Re: trouble using pam_authz_search, Terence Kent

Prev by Date: Re: trouble using pam_authz_search
Next by Date: Re: trouble using pam_authz_search
Previous by thread: Re: trouble using pam_authz_search
Next by thread: Re: trouble using pam_authz_search