Bug 99470

Summary: When using pam_ldap, you got this error "check pass; user unknown"
Product: [Retired] Red Hat Linux Reporter: Oliver Schulze L. <oliver>
Component: authconfigAssignee: Tomas Mraz <tmraz>
Status: CLOSED WONTFIX QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 9   
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-12-15 09:39:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Oliver Schulze L. 2003-07-20 19:19:17 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b)
Gecko/20030516 Mozilla Firebird/0.6

Description of problem:
If you are using nss_ldap and pam_ldap, and in authconfig select to use LDAP as
authentication, this lines are configured in /etc/pam.d/system-auth:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

This makes to first try to authenticate a user againts /etc/passwd and you got
the error.
Instead, authconfig should configure /etc/pam.d/system-auth like this:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ldap.so 
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so



Version-Release number of selected component (if applicable):
authconfig-4.3.4-1

How reproducible:
Always

Steps to Reproduce:
1. Configure to authenticate against LDAP in authconfig
2. login as a user that is in the LDAP user DB    

Actual Results:  You got this entry in /var/log/messages:
Jul 20 15:04:49 server pop(pam_unix)[27864]: check pass; user unknown
Jul 20 15:04:49 server pop(pam_unix)[27864]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=
Jul 20 15:04:49 server ipop3d[27864]: Login user=user1
host=host.example.com[192.168.210.3] nmsgs=1/1
Jul 20 15:04:50 server ipop3d[27864]: Logout user=user1 host=host.example.com
[192.168.210.3] nmsgs=0 ndele=1


Additional info:

You get this 2 lines for every login attempt using any service: login, pop3,
imap, ssh, etc
Jul 20 15:04:49 server (pam_unix)[27864]: check pass; user unknown
Jul 20 15:04:49 server (pam_unix)[27864]: authentication failure; 

Which overload syslog, cause an innecesary delay and waste disk space.

Comment 1 Oliver Schulze L. 2003-09-06 17:45:16 UTC
Also, please note that when using current authconfig settings, imap y pop3
daemons log its messages in /var/log/messages. But, after aplying my patch, they
log the messages in /var/log/maillog.

These 2 lines are the messages logged now in /var/log/maillog:
Jul 20 15:04:49 server ipop3d[27864]: Login user=user1
host=host.example.com[192.168.210.3] nmsgs=1/1
Jul 20 15:04:50 server ipop3d[27864]: Logout user=user1 host=host.example.com
[192.168.210.3] nmsgs=0 ndele=1

I think that loggin in /var/log/maillog is the desired behavior for imap y pop3
(both from wu-imap package)

Comment 2 Tomas Mraz 2004-12-15 09:39:06 UTC
This is WONTFIX as:

1. The module pam_unix can't be removed from system-auth since it
would completely disable the local logins (root for example) the
syslogging can't be switched off because these messages are valid in
case there is no other auth pam module in the system-auth and the
pam_unix module can't know if it's the only module in the auth stack.

2. The logging of imap, pop3 in messages is a bug but it's a bug of
wu-imap package because it should reopen syslog after calling pam.
There is no way how to do it right in pam. Other possibility would be
not to openlog in pam_unix but this could be problematic in other
situations.