Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 26449

Summary: a local user login isn't permited
Product: [Retired] Red Hat Linux Reporter: Igor <kil>
Component: authconfigAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED CURRENTRELEASE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.1CC: walter_rowe
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard: Florence RC-1
Fixed In Version: authconfig-4.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-13 15:12:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
unchanged installed file
none
unchanged installed file
none
Original system-auth after authconfig setup for LDAP authentication
none
Updated system-auth after manually editing file per recommendations in #26449
none
Context diff between system-auth.orig and system-auth none

Description Igor 2001-02-07 10:27:29 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)


I try login as local user "root", but login denied.

Reproducible: Always
Steps to Reproduce:
Case 1
1.LDAP client.
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
...
/etc/ldap.conf:
host x.x.x.x
base dc=xxx
ssl start_tls
2.LDAP server is configured, but for example isn't support TLS/SSL,
and I think don't send answer on SSL request.

Case 2
LDAP client.
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
...
/etc/ldap.conf:
#host x.x.x.x
#base dc=xxx
ssl start_tls

	

Actual Results:  access denied

Expected Results:  access permited

It is a client's error. Client primarily must to check exit conditions of 
previous searchings in local files (passwd, shadow).
Then must don't send any requests to server or other actions except permit 
access if exit conditions are SUCCESS.
Comment 1 Glen Foster 2001-02-08 15:52:10 UTC 
We (Red Hat) should really try to resolve this before next release.
Comment 2 Nalin Dahyabhai 2001-02-08 16:25:25 UTC 
What are the contents of your /etc/pam.d/system-auth file?  Are there
any messages in /var/log/messages or /var/log/secure related to the
user's access being disallowed?
Comment 3 Igor 2001-02-09 10:41:43 UTC 
Created attachment 9499 [details]
unchanged installed file
Comment 4 Igor 2001-02-09 10:43:01 UTC 
Created attachment 9500 [details]
unchanged installed file
Comment 5 Igor 2001-02-09 10:50:41 UTC 
/var/log/messages and /var/log/secure are empty related the disallowed access.
Comment 6 Nalin Dahyabhai 2001-02-09 21:51:27 UTC 
Okay, this should be resolved by authconfig-4.1.3, which until it pops up in Raw
Hide (ftp://ftp.redhat.com/pub/rawhide/) will be in
http://people.redhat.com/nalin/test/.

Apply the update, run authconfig (you can leave the settings the same, the
update changed what gets generated), and that should resolve the problem.  If
you find that that doesn't fix it, please reopen this bug ID.

Thanks!
Comment 7 Igor 2001-03-02 10:55:07 UTC 
Nothing changed. Please, pay attention to useless SSL request.
The same in wolverine.
Comment 8 Nalin Dahyabhai 2001-03-08 23:03:58 UTC 
Please check if the nss_ldap package in http://people.redhat.com/nalin/test/
properly fails if starting up TLS fails.  It does on my test machine.
Comment 9 Igor 2001-03-19 14:24:54 UTC 
The same. Client send useless requests (unknown for server). Any login fails.
Comment 10 Igor 2002-02-28 07:17:42 UTC 
This is a bug in PAM configuration by authconfig.
Original /etc/pam.d/system-auth is:
...
account required /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
...
Must be:
...
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
...
Comment 11 Walter Rowe 2003-04-23 20:09:59 UTC 
Created attachment 91259 [details]
Original system-auth after authconfig setup for LDAP authentication
Comment 12 Walter Rowe 2003-04-23 20:11:06 UTC 
Created attachment 91260 [details]
Updated system-auth after manually editing file per recommendations in #26449
Comment 13 Walter Rowe 2003-04-23 20:12:44 UTC 
Created attachment 91262 [details]
Context diff between system-auth.orig and system-auth
Comment 14 Walter Rowe 2003-04-23 20:14:43 UTC 
The above notes indicate this problem would be resolved by authconfig 4.1.3. Red
Hat 9 with authconfig-4.3.4 still contains this bug.
Comment 15 Walter Rowe 2003-04-24 18:18:22 UTC 
There is another problem I have discovered in looking at the system-auth file.
When using authconfig to enable ldap authentication, the "account" line for ldap
is written to the system-auth file in an incorrect format.

The correct format should be:

account     required        /lib/security/$ISA/pam_ldap.so default=bad
success=ok user_unknown=ignore service_err=ignore system_err=ignore

What is written is:

account     required        [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore]         /lib/security/$ISA/pam_ldap.so

This generates the following error message in /var/log/messages:

Apr 24 11:25:57 localhost gdm[2515]: PAM unable to
dlopen(/lib/security/default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore)
Apr 24 11:25:57 localhost gdm[2515]: PAM [dlerror: /lib/security/default=bad
success=ok user_unknown=ignore service_err=ignore system_err=ignore: cannot open
shared object file: No such file or directory]
Apr 24 11:25:57 localhost gdm[2515]: PAM adding faulty module:
/lib/security/default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore