Your message dated Wed, 21 Sep 2016 02:39:29 +0000
with message-id <e1bmxrz-0005sl...@franck.debian.org>
and subject line Bug#628848: Removed package(s) from unstable
has caused the Debian Bug report #359896,
regarding libpam-unix2: Authentication always fail if uidNumber=0 and the user
is in LDAP
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
359896: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=359896
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libpam-unix2
Version: 1.25-1
Severity: important
I have strange problem with pam_unix2. I have looked at documentation
and searched google, but I can't figure out what's wrong.
I am setting up a server where I use ldap for authentication.
The root account is not in ldap, so it will be possible to log in
even if I get trouble with the ldap server.
I also need a uid=0 account available in ldap though,
samba need this.
And this is the problem. I can log in as any
ldap user - except the one with uidNumber=0. That user is named
Administrator.
I believe there is nothing wrong with the Administrator account,
if I change its uidNumber to soemthing else - such as 1, then
logging in (using "login" or "su") works. Change the
uidNumber back to 0 - and suddenly the password is invalid. Very
strange.
Also, this cannot be a case of /etc/securetty or other protection against
privileged users, for I can log in as "root" with no problems
at all. But "root" exists in /etc/passwd, so "root" doesn't have
the extra sambaAccount fields that samba needs. That is only available
in ldap, but logging in with uidNumber=0 using ldap is impossible.
I tried removing the normal root account, to see if the problem
had something to do with duplicate users. This did not help at all.
Am I missing something, is there a trivial config option that makes
this work? Or have I found a bug?
Some auth.log traces:
"su root" from a user account succeeds:
Mar 26 12:53:44 buanserver su[11663]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:53:44 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_authenticate:
PAM_SUCCESS
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_acct_mgmt() called
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: expire() returned with 0
Mar 26 12:53:46 buanserver su[11663]: Successful su for root by helge
Mar 26 12:53:46 buanserver su[11663]: + pts/2 helge:root
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred() called
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred: PAM_SUCCESS
"su Administrator" from a user account rejected (I used the correct passwd)
Mar 26 12:54:26 buanserver su[11672]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:54:26 buanserver su[11672]: pam_unix2: username=[Administrator]
Mar 26 12:54:30 buanserver su[11672]: pam_unix2: wrong password, return
PAM_AUTH_ERR
Mar 26 12:54:30 buanserver su[11672]: pam_authenticate: Authentication failure
Mar 26 12:54:30 buanserver su[11672]: FAILED su for Administrator by helge
Mar 26 12:54:30 buanserver su[11672]: - pts/2 helge:Administrator
"su Administrator" from a user account works when Administrator is
modified to use a uidNumber other than 0:
Mar 26 12:30:49 buanserver su[11603]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:30:49 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:55 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_authenticate()
returned 0
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_acct_mgmt() called
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_acct_mgmt()
returned 0
Mar 26 12:30:56 buanserver su[11603]: Successful su for Administrator by joe
Mar 26 12:30:56 buanserver su[11603]: + pts/0 joe:Administrator
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred() called
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_setcred()
returned 0
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred: PAM_SUCCESS
Deliberately using a wrong password for "Administrator" when the uid is not 0:
Mar 26 13:27:09 buanserver su[11780]: pam_unix2: pam_sm_authenticate() called
Mar 26 13:27:09 buanserver su[11780]: pam_unix2: username=[Administrator]
Mar 26 13:27:13 buanserver su[11780]: pam_ldap: error trying to bind as user
"uid=Administrator,ou=People,dc=buan" (Invalid credentials)
Mar 26 13:27:13 buanserver su[11780]: pam_unix2: pam_ldap/pam_sm_authenticate()
returned 7
Mar 26 13:27:13 buanserver su[11780]: pam_unix2: wrong password, return
PAM_AUTH_ERR
Mar 26 13:27:13 buanserver su[11780]: pam_authenticate: Authentication failure
Mar 26 13:27:13 buanserver su[11780]: FAILED su for Administrator by helge
Mar 26 13:27:13 buanserver su[11780]: - pts/5 helge:Administrator
Here we see that the wrong password was rejected by ldap
Now, lets change the administrator uid back to 0 and try a wrong
password:
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: pam_sm_authenticate() called
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: username=[Administrator]
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: wrong password, return
PAM_AUTH_ERR
Mar 26 13:31:28 buanserver su[11792]: pam_authenticate: Authentication failure
Mar 26 13:31:28 buanserver su[11792]: FAILED su for Administrator by helge
Mar 26 13:31:29 buanserver su[11792]: - pts/5 helge:Administrator
Hmm - ldap was not consulted at all. This is exactly the same kind
of log I get with a wrong password for "root".
Let me guess:
pam_unix2 looks up the uid for Administrator, and see that it is 0.
And then pam_unix2.so decides that there is no need to consult ldap
when the uid=0 ???
A wrong assumption that uid=0 can only exist in /etc/passwd ???
This is a regression, this used to work a couple of years ago.
Helge Hafting
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (800, 'stable'), (700,
'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-mm2
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)
Versions of packages libpam-unix2 depends on:
ii libc6 2.3.6-3 GNU C Library: Shared libraries an
ii libpam0g 0.79-3.1 Pluggable Authentication Modules l
ii libxcrypt1 2.3-1 Crypt library for DES, MD5, and bl
libpam-unix2 recommends no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Version: 1:2.6-2+rm
Dear submitter,
as the package libpam-unix2 has just been removed from the Debian archive
unstable we hereby close the associated bug reports. We are sorry
that we couldn't deal with your issue properly.
For details on the removal, please see https://bugs.debian.org/628848
The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.
This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmas...@ftp-master.debian.org.
Debian distribution maintenance software
pp.
Chris Lamb (the ftpmaster behind the curtain)
--- End Message ---
