Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
Hi, Is 634829 also relevant in our default configuration? (Whether or not it is I think the fix should be pushed to squeeze. But if it is we probably want to include the fix in beta1.) cheers, Holger -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
[Holger Levsen] Hi, Is 634829 also relevant in our default configuration? (Whether or not it is I think the fix should be pushed to squeeze. But if it is we probably want to include the fix in beta1.) I did not test, so I do not know. I do not have a test bed ready, and no spare time to set it up, so I hope someone else can test this. But when I tested a year ago, the module worked, so I suspect this might be related to the version of python being used. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
Hi Petter, the script fails at the very first Popen call. If I replace proc = subprocess.Popen(cmd, shell-True, stdout=subprocess.PIPE,) with proc = subprocess.Popen(cmd, shell-True, stdout=None,) the call succeeds. If the user has a local account, login succeeds, too. I haven't tested any further combinations (e.g. home directory, primary group membership, etc.) so far. I wonder why the author have specified subprocess.PIPE, since the actual output is not captured anywhere in the script? On 25/07/11 18:00, Petter Reinholdtsen wrote: [Wolfgang Schulze-Zachau] Hi Petter, nope, doesn't make any difference, I still get the Unexpected exception, should never happen ... message. Hm. Not quite sure how to figure out what is missing a child. Could you try to add log/print statements to try to figure out what is failing? I have stopped nscd, no difference. And nslcd isn't installed (do I need it other than for caching?). nslcd is only used when libnss_ldapd is used, and it is an alternative to sssd and should probably be disabled/removed if you want to use sssd. Please send to 634...@bugs.debian.org, to make sure BTS is up to date. Happy hacking, -- best regards Wolfgang *Amino | Mob: +44 7554 457 455 | Desk: +44 1954 234 190 | skype: wszachauamino*
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
Could this be connected to a known (and fixed) race condition in python? See here: http://bugs.python.org/issue1731717 On 25/07/11 18:00, Petter Reinholdtsen wrote: [Wolfgang Schulze-Zachau] Hi Petter, nope, doesn't make any difference, I still get the Unexpected exception, should never happen ... message. Hm. Not quite sure how to figure out what is missing a child. Could you try to add log/print statements to try to figure out what is failing? I have stopped nscd, no difference. And nslcd isn't installed (do I need it other than for caching?). nslcd is only used when libnss_ldapd is used, and it is an alternative to sssd and should probably be disabled/removed if you want to use sssd. Please send to 634...@bugs.debian.org, to make sure BTS is up to date. Happy hacking, -- best regards Wolfgang *Amino | Mob: +44 7554 457 455 | Desk: +44 1954 234 190 | skype: wszachauamino*
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
[Wolfgang Schulze-Zachau] Hi Petter, the script fails at the very first Popen call. If I replace proc = subprocess.Popen(cmd, shell-True, stdout=subprocess.PIPE,) with proc = subprocess.Popen(cmd, shell-True, stdout=None,) the call succeeds. If the user has a local account, login succeeds, too. I haven't tested any further combinations (e.g. home directory, primary group membership, etc.) so far. How strange. Any idea which process that fail to work with the PIPE? It was working for me the last time I tested it, so I wonder what changed. I wonder why the author have specified subprocess.PIPE, since the actual output is not captured anywhere in the script? It was written like that because I am not very familiar with Python and found a example doing it like that. Happy hacking, -- Petter Reinholtdsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
On 26/07/11 11:30, Petter Reinholdtsen wrote: It was written like that because I am not very familiar with Python and found a example doing it like that. To be honest, I am not particularly good friends with python, either. Would it be unfair to say we should take the route of least resistance? Happy hacking, -- best regards Wolfgang *Amino | Mob: +44 7554 457 455 | Desk: +44 1954 234 190 | skype: wszachauamino*
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
[Wolfgang Schulze-Zachau] Would it be unfair to say we should take the route of least resistance? I have no problem with your proposed change, so why not. Can you test the new version currently available from svn://svn.debian.org/svn/debian-edu/trunk/src/libpam-mklocaluser ? If it works for you, I'll upload it to unstable. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
Attached is a modified version of the python script which works for me. Essentially I have added some poll() calls to ensure the shell commands are completed before communicating with the subprocesses. I have also added two lines in the runcmd subroutine to log any error messages to syslog. Hope that's OK with you. I will now do further testing of this. On 26/07/11 11:54, Petter Reinholdtsen wrote: [Wolfgang Schulze-Zachau] Would it be unfair to say we should take the route of least resistance? I have no problem with your proposed change, so why not. Can you test the new version currently available from svn://svn.debian.org/svn/debian-edu/trunk/src/libpam-mklocaluser ? If it works for you, I'll upload it to unstable. Happy hacking, -- best regards Wolfgang *Amino | Mob: +44 7554 457 455 | Desk: +44 1954 234 190 | skype: wszachauamino* #!/usr/bin/env python # # Create local user and redirected home directory. # If the local user logging in have uid = 1000, create primary group # and user in /etc/passwd and /etc/group, and create a home directory # under /home/ if none exist already. import os import sys import pwd import grp import subprocess import shutil import math import time import syslog def runcmd(pamh, cmd): proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,) while proc.poll() == None: pass result = proc.communicate(input=None)[0] if result != 0: syslog.syslog(Command %(command)s failed with %(msg)s % ( cmd, proc.stderr.read()) ) # print output: %s % output def check_and_create_localuser(pamh, user): # Location of local users topdir = /home # Ignore users with uid below this one minimum_uid = 500 # Create user entries with this shell shell = '/bin/bash' # File mode of new home directory dirmode = 0700 # Last password change, use today pwlastchange = math.floor(time.time() / (60 * 60 * 24 )) pwminage = 0 pwmaxage = 9 pwwarn = 7 # Fetch current user and group info, possibly from LDAP or NIS. userinfo = pwd.getpwnam(user) uid = userinfo[2] gid = userinfo[3] gecos = userinfo[4] homedir = userinfo[5] # Ignore users with uid 1000 if userinfo[2] minimum_uid: return pamh.PAM_SUCCESS # Ignore users with existing entry in /etc/passwd cmd = /bin/grep \^%s:\ /etc/passwd /dev/null % user proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, ) while proc.poll() == None: pass result = proc.communicate(input=None)[0] if proc.returncode == 0: return pamh.PAM_SUCCESS if None == homedir: syslog.syslog(Home directory is not set for user %s % user) return pamh.PAM_USER_UNKNOWN newhomedir = os.path.join(topdir, user) if not os.path.isdir(homedir) and not os.path.isdir(newhomedir): try: groupinfo = grp.getgrgid(gid) groupname = groupinfo[0] except KeyError, e: syslog.syslog(Unknown primary group with gid %d % gid) groupname = [unknown] syslog.syslog(Creating local passwd entry uid=%d(%s) gid=%d(%s) gecos='%s' home=%s % (uid, user, gid, groupname, gecos, newhomedir)) try: # Add user entry with overridden home directory in /etc/passwd. # Can not use adduser, as it refuses to add a user if it already # is visible via NSS. cmd = /bin/echo '%s:x:%d:%d:%s:%s:%s' /etc/passwd \ % (user, uid, gid, gecos, newhomedir, shell) runcmd(pamh, cmd) # Add shadow entry too. # XXX Should only add it if it is missing cmd = /bin/echo '%s:x:%d:%d:%d:%d:::' /etc/shadow \ % (user, pwlastchange, pwminage, pwmaxage, pwwarn) runcmd(pamh, cmd) syslog.syslog(Creating local home directory for user '%s' % user) # Copy content of /etc/skel shutil.copytree(/etc/skel/., newhomedir, True) # Change perm of new home dir os.chmod(newhomedir, dirmode) # os.chown(newhomedir, uid, gid) - not recursive runcmd(pamh, /bin/chown -R %d:%d '%s' % (uid, gid, newhomedir)) # Flush nscd cache to get rid of original user entry if os.access(/usr/sbin/nscd, os.X_OK): runcmd(pamh, /usr/sbin/nscd -i passwd) # Hook for adjusting the freshly created home directory # XXX Should be rewritten in python, I guess runcmd(pamh, if [ -d /etc/mklocaluser.d ]; then ORIGHOMEDIR='%s' USER='%s' /bin/run-parts /etc/mklocaluser.d ; fi % (homedir, user)) # Let the user know what is going on msg = pamh.Message(pamh.PAM_TEXT_INFO, Local user created in /home/, please log in again to start using it.) pamh.conversation(msg) # Throw out user, as the log process cached the home directory # and need to be restarted. return pamh.PAM_TRY_AGAIN except Exception, e: syslog.syslog(e) pass return pamh.PAM_SUCCESS def pam_sm_setcred(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_authenticate(pamh, flags, argv): return pamh.PAM_SUCCESS def
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
[Wolfgang Schulze-Zachau] Attached is a modified version of the python script which works for me. Essentially I have added some poll() calls to ensure the shell commands are completed before communicating with the subprocesses. Right. Make sense. I have also added two lines in the runcmd subroutine to log any error messages to syslog. Hope that's OK with you. Fine with me. But what will happen if a command print more than one line on stderr? I will now do further testing of this. Great. For the record, here is the relevant patch representing your change. Index: debian/pam-python.py === --- debian/pam-python.py(revision 69429) +++ debian/pam-python.py(working copy) @@ -17,7 +17,11 @@ def runcmd(pamh, cmd): proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,) - output = proc.communicate()[0] + while proc.poll() == None: +pass + result = proc.communicate(input=None)[0] + if result != 0: +syslog.syslog(Command %(command)s failed with %(msg)s % ( cmd, proc.stderr.read()) ) # print output: %s % output def check_and_create_localuser(pamh, user): @@ -53,8 +57,10 @@ # Ignore users with existing entry in /etc/passwd cmd = /bin/grep \^%s:\ /etc/passwd /dev/null % user - proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE,) - result = proc.communicate() + proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, ) + while proc.poll() == None: +pass + result = proc.communicate(input=None)[0] if proc.returncode == 0: return pamh.PAM_SUCCESS Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
[Wolfgang Schulze-Zachau] Hi Petter, nope, doesn't make any difference, I still get the Unexpected exception, should never happen ... message. Hm. Not quite sure how to figure out what is missing a child. Could you try to add log/print statements to try to figure out what is failing? I have stopped nscd, no difference. And nslcd isn't installed (do I need it other than for caching?). nslcd is only used when libnss_ldapd is used, and it is an alternative to sssd and should probably be disabled/removed if you want to use sssd. Please send to 634...@bugs.debian.org, to make sure BTS is up to date. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
Hi Petter, nope, doesn't make any difference, I still get the Unexpected exception, should never happen ... message. I have stopped nscd, no difference. And nslcd isn't installed (do I need it other than for caching?). Puzzled... On 23/07/11 10:42, Petter Reinholdtsen wrote: [Wolfgang Schulze-Zachau] Jul 20 11:22:49 it-50 pam_mklocaluser[1765]: Unexpected exception, should never happen: [Errno 10] No child processes This is the key error report. Not quite sure which child process is the problem. Hm, is nscd installed? Perhaps the problem is the call /usr/sbin/nscd -i passwd in /usr/lib/libpam-mklocaluser/pam-python.py? Try to comment it out and see if the situation improves. Happy hacking, -- best regards Wolfgang *Amino | Mob: +44 7554 457 455 | Desk: +44 1954 234 190 | skype: wszachauamino*
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
[Wolfgang Schulze-Zachau] Jul 20 11:22:49 it-50 pam_mklocaluser[1765]: Unexpected exception, should never happen: [Errno 10] No child processes This is the key error report. Not quite sure which child process is the problem. Hm, is nscd installed? Perhaps the problem is the call /usr/sbin/nscd -i passwd in /usr/lib/libpam-mklocaluser/pam-python.py? Try to comment it out and see if the situation improves. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#634829: libpam-mklocaluser: login fails when used in conjunction with sssd
Package: libpam-mklocaluser Version: 0.6 Severity: important I am using sssd to authenticate against a Microsoft AD server. The pam configuration was created using pam-auth-update, i.e. it is completely system generated. When authenticating at the initial gdm login prompt, the login fails, and the logs show the following: Jul 20 11:22:49 it-50 gdm[1765]: pam_sss(gdm:auth): User info message: Authenticated with cached credentials. Jul 20 11:22:49 it-50 gdm[1765]: pam_sss(gdm:auth): authentication success; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=wszachau Jul 20 11:22:49 it-50 gdm[1765]: pam_unix(gdm:session): session opened for user wszachau by (uid=0) Jul 20 11:22:49 it-50 pam_mklocaluser[1765]: Unexpected exception, should never happen: [Errno 10] No child processes Jul 20 11:22:49 it-50 pam_mklocaluser[1765]: pam_ck_connector(gdm:session): nox11 mode, ignoring PAM_TTY :0 Jul 20 11:22:49 it-50 pam_mklocaluser[1765]: WARNING: Couldn't open session for wszachau At this point, nscd is not running, but nslcd is running. If any additional information is required, please ask, and I shall provide. -- System Information: Debian Release: 6.0.2 APT prefers stable APT policy: (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.32-5-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-mklocaluser depends on: ii libpam-python 1.0.0-2 Enables PAM modules to be written ii python 2.6.6-3+squeeze6 interactive high-level object-orie ii python-support 1.0.10 automated rebuilding support for P libpam-mklocaluser recommends no packages. Versions of packages libpam-mklocaluser suggests: ii libpam-sss 1.2.1-4+squeeze1 Pam module for the System Security -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org