Bug 1029817
Summary: | pam_access.so in pam.d files using --enablepamaccess | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 6 | Reporter: | guillard <orglube> |
Component: | pam | Assignee: | Tomas Mraz <tmraz> |
Status: | CLOSED ERRATA | QA Contact: | David Spurek <dspurek> |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 6.6 | CC: | dapospis, dspurek, ebenes, ksrot, orglube, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | pam-1.1.1-18.el6 | Doc Type: | Bug Fix |
Doc Text: |
no docs needed
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2014-10-14 08:10:01 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
guillard
2013-11-13 09:57:32 UTC
The configuration is correct. It is not true that pam_access would not know the uid in such configuration, the bug must be elsewhere. If you disable ldap with authconfig --disableldap --update , does the local user login still hang? How many users and groups are in the ldap server? yes, I have the same problem when ldap is disable (BTW, I have launched authconfig with --disableeverything execpt --enableshadow --enablelocauthorize --enablepamaccess ). See below my nsswicth.conf. But I missed to say that the problem only occur when I try to log as a local user and the console AND the network is not reachable (no problem otherwise). Local login freeze with the following nsswitch.conf, and tcpdump doesn't show anything when I try to log in : =============================== passwd: files shadow: files group: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus sudoers: file ========================= The problem disapear when the network is reachable, or if I move "account required pam_access.so" in the system-auth-ac file as I described above. Read :
=====
> But I missed to say that the problem only occur when I try to log as a local user ON the console AND the network is not reachable (no problem otherwise).
Then much more probable culprit are DNS timeouts in pam_access. What is in your /etc/security/access.conf? There were some optimizations in pam_access added in later Linux-PAM upstream releases. Thank you for looking at this Tomas. As I said, I tryed tcpdump to scan paquets, and have not seen any network request issued by the machine over the login process. May be the machine is waiting for something ? Here is my access.conf +:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:root:2001:xxx:xxx::/47 +:root:LOCAL # #### 'wheel' is a local group ###### # # #### members may log on the console ###### # +:(wheel):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:(wheel):2001:xxx:xxx::/47 +:(wheel):LOCAL # #### 'reseau' is an LDAP group ###### # # #### members may log on the console ###### # +:(reseau):LOCAL # #### members of some other ldap groups are ###### # # #### authorised to log in from internal networks ###### # +:(reseau) (tech):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:(reseau)(tech):2001:xxx:xxx::/47 Maybe you made some mistake in the tcpdump invocation. I don't know. I am sorry I can only point you at official Red Hat support channels for further investigation and resolution of your issue. http://www.redhat.com/support/ Hi Tomas, To let you know, I found a fix. I have changed in access.conf this : +:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:root:2001:xxx:xxx::/47 +:root:LOCAL By this: +:root:LOCAL +:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:root:2001:xxx:xxx::/47 The issue is then related to the way pam_access is parsing the file, and also to something that is still not clear related to the two (matching) rules that reference ip blocks (the machine itself is located in one of the autorised block, but this shouldn't block the login process for three minutes IMHO). I will report the debug trace I get to pam_access dev. Thanks for your help. Just in case this would be of interest here, here is a pam_access debug trace with the first version of access.conf. My undestanding is that since the machine is itself in an authorized block, then pam_acess is expecting for something : tcpdump don't say what. Nov 14 12:18:29 gaia02 login: pam_access(login:account): login_access: user=root, from=tty4, file=/etc/security/access.conf Nov 14 12:18:29 gaia02 login: pam_access(login:account): line 126: + : root : 10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match=1, "root" Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=10.x.x.x/16 10.x.x.x/16 10.x.x.x/16, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:49 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:49 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:49 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:09 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:09 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:09 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match=0, "tty4" Nov 14 12:19:29 gaia02 login: pam_access(login:account): line 127: + : root : 2001:xxx:xxx::/47 Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match=1, "root" Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=2001:xxx:xxx::/47, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match: tok=2001:xxx:xxx::/47, item=tty4 Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=2001:xxx:xxx::/47, item=tty4 Nov 14 12:19:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=2001:xxx:xxx::/47, item=tty4 Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=0, "tty4" Nov 14 12:19:49 gaia02 login: pam_access(login:account): line 128: + : root : LOCAL Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=root, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match: tok=root, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=root, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match=1, "root" Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=LOCAL, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match: tok=LOCAL, item=tty4 Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=LOCAL, item=tty4 Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=1, "tty4" Nov 14 12:19:49 gaia02 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Nov 14 12:19:49 gaia02 login: ROOT LOGIN ON tty4 As I said above - it is really about repeated getaddrinfo timeouting and it was fixed or at least improved in the more recent upstream releases of Linux-PAM. We could backport the changes if pam gets on list of packages for next update release. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1579.html |