On Sat, 2009-10-17 at 22:49 +0000, Steve Langasek wrote: > Well, bug #411249 was closed as invalid.
I know. > I don't think this is a valid bug, either; pam_krb5 returns 'PAM_IGNORE' > for non-Kerberos logins, as shown in your debug log, which *is* > considered "success" /as long as/ at least one other PAM module returns > success. OK. > I'm quite confident that this is the case, because this is the standard > use of pam_krb5 on Debian/Ubuntu, and I've been using it for years - and > my root account works fine. And you don't have a root account in kerberos? Or maybe the minimum_uid=1000 makes that moot? > So there must be some other 'account' module in your configuration for > su which is returning this failure. Can you post a copy of > /etc/pam.d/su and /etc/pam.d/common-account? Sure. su: auth sufficient pam_rootok.so session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale session optional pam_mail.so nopen @include common-auth @include common-account @include common-session common-account: account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so debug audit account [success=1 default=ignore] pam_ldap.so account required pam_permit.so account required pam_krb5.so debug minimum_uid=1000 As above, su fails and auth.log reports: Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: pam_sm_acct_mgmt: entry (0x0) Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: skipping non-Kerberos login Oct 18 11:03:19 laptop su[31699]: (pam_krb5): none: pam_sm_acct_mgmt: exit (ignore) Oct 18 11:03:19 laptop su[31699]: pam_acct_mgmt: Permission denied Oct 18 11:03:19 laptop su[31699]: FAILED su for root by brian Oct 18 11:03:19 laptop su[31699]: - pts/2 brian:root If I simply change the pam_krb5 line in common-account to: account required pam_permit.so su works and auth.log reports: Oct 18 11:07:11 jenny-laptop su[31719]: Successful su for root by brian Oct 18 11:07:11 jenny-laptop su[31719]: + pts/2 brian:root Oct 18 11:07:11 jenny-laptop su[31719]: pam_unix(su:session): session opened for user root by brian(uid=1001) So to me that means that the pam_unix.so or pam_ldap.so have to be "success"ful causing a jump over the (first) pam_permit, otherwise this would all just work and I would not be filing this bug. That simply changing the pam_krb5 to pam_permit says to me that pam_krb5 must be failing the account processing. That said, I am by far no pam expert, so I am completely welcome to being told why I'm wrong. Further, unfortunately neither the "debug" or "audit" on the pam_unix.so line seem to be producing any debug or audit entries in the auth.log, so that's not helping. :-( -- pam-configs prevents root login with pam_unix https://bugs.launchpad.net/bugs/454012 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs -- universe-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/universe-bugs
