Hide Forgot
Description of problem: I use authconfig to configure redhat6 and redhat5 servers for authentication. I use --enablepamaccess to tune access for users Once configured as such, I have no problem for users in ldap (sssd), but login process freeze when I try to log as a local user on the console. After a while (about three minutes) I get a shell if I'm allowed to with regard to access.conf rules. After investigations, the problem problem sounds to be due to the fact that the pam access module in pam files, line: "account required pam_access.so" is called before pam has identifyed if the user was local or not, lines : "account required pam_unix.so" "account sufficient pam_localuser.so" (my understanding is that pam is having a problem trying to evaluate access.conf without knowing the user id). If I move this line : "account required pam_access.so" After : "account required pam_unix.so" "account sufficient pam_localuser.so" The the freeze problem disappear (but access.conf is not taken into account for local users anymore). I'm not sure what would be the right patch to that issue. How reproducible: Steps to Reproduce: 1- launch authconfig --enableshadow --enablelocauthorize --enablepamaccess --updateall 2. add rules for local users on the console in /etc/security/access.conf Actual results: login process freeze before granting access Expected results: login process should'nt freeze Additional info:
The configuration is correct. It is not true that pam_access would not know the uid in such configuration, the bug must be elsewhere. If you disable ldap with authconfig --disableldap --update , does the local user login still hang? How many users and groups are in the ldap server?
yes, I have the same problem when ldap is disable (BTW, I have launched authconfig with --disableeverything execpt --enableshadow --enablelocauthorize --enablepamaccess ). See below my nsswicth.conf. But I missed to say that the problem only occur when I try to log as a local user and the console AND the network is not reachable (no problem otherwise). Local login freeze with the following nsswitch.conf, and tcpdump doesn't show anything when I try to log in : =============================== passwd: files shadow: files group: files #hosts: db files nisplus nis dns hosts: files dns # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files netgroup: files publickey: nisplus automount: files aliases: files nisplus sudoers: file ========================= The problem disapear when the network is reachable, or if I move "account required pam_access.so" in the system-auth-ac file as I described above.
Read : ===== > But I missed to say that the problem only occur when I try to log as a local user ON the console AND the network is not reachable (no problem otherwise).
Then much more probable culprit are DNS timeouts in pam_access. What is in your /etc/security/access.conf? There were some optimizations in pam_access added in later Linux-PAM upstream releases.
Thank you for looking at this Tomas. As I said, I tryed tcpdump to scan paquets, and have not seen any network request issued by the machine over the login process. May be the machine is waiting for something ? Here is my access.conf +:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:root:2001:xxx:xxx::/47 +:root:LOCAL # #### 'wheel' is a local group ###### # # #### members may log on the console ###### # +:(wheel):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:(wheel):2001:xxx:xxx::/47 +:(wheel):LOCAL # #### 'reseau' is an LDAP group ###### # # #### members may log on the console ###### # +:(reseau):LOCAL # #### members of some other ldap groups are ###### # # #### authorised to log in from internal networks ###### # +:(reseau) (tech):10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:(reseau)(tech):2001:xxx:xxx::/47
Maybe you made some mistake in the tcpdump invocation. I don't know. I am sorry I can only point you at official Red Hat support channels for further investigation and resolution of your issue. http://www.redhat.com/support/
Hi Tomas, To let you know, I found a fix. I have changed in access.conf this : +:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:root:2001:xxx:xxx::/47 +:root:LOCAL By this: +:root:LOCAL +:root:10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 +:root:2001:xxx:xxx::/47 The issue is then related to the way pam_access is parsing the file, and also to something that is still not clear related to the two (matching) rules that reference ip blocks (the machine itself is located in one of the autorised block, but this shouldn't block the login process for three minutes IMHO). I will report the debug trace I get to pam_access dev. Thanks for your help.
Just in case this would be of interest here, here is a pam_access debug trace with the first version of access.conf. My undestanding is that since the machine is itself in an authorized block, then pam_acess is expecting for something : tcpdump don't say what. Nov 14 12:18:29 gaia02 login: pam_access(login:account): login_access: user=root, from=tty4, file=/etc/security/access.conf Nov 14 12:18:29 gaia02 login: pam_access(login:account): line 126: + : root : 10.x.x.x/16 10.x.x.x/16 10.x.x.x/16 Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): user_match=1, "root" Nov 14 12:18:29 gaia02 login: pam_access(login:account): list_match: list=10.x.x.x/16 10.x.x.x/16 10.x.x.x/16, item=root Nov 14 12:18:29 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:29 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:49 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:49 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:18:49 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:09 gaia02 login: pam_access(login:account): from_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:09 gaia02 login: pam_access(login:account): string_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:09 gaia02 login: pam_access(login:account): network_netmask_match: tok=10.x.x.x/16, item=tty4 Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match=0, "tty4" Nov 14 12:19:29 gaia02 login: pam_access(login:account): line 127: + : root : 2001:xxx:xxx::/47 Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=root, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match: tok=root, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=root, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): user_match=1, "root" Nov 14 12:19:29 gaia02 login: pam_access(login:account): list_match: list=2001:xxx:xxx::/47, item=root Nov 14 12:19:29 gaia02 login: pam_access(login:account): from_match: tok=2001:xxx:xxx::/47, item=tty4 Nov 14 12:19:29 gaia02 login: pam_access(login:account): string_match: tok=2001:xxx:xxx::/47, item=tty4 Nov 14 12:19:29 gaia02 login: pam_access(login:account): network_netmask_match: tok=2001:xxx:xxx::/47, item=tty4 Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=0, "tty4" Nov 14 12:19:49 gaia02 login: pam_access(login:account): line 128: + : root : LOCAL Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=root, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match: tok=root, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=root, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): user_match=1, "root" Nov 14 12:19:49 gaia02 login: pam_access(login:account): list_match: list=LOCAL, item=root Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match: tok=LOCAL, item=tty4 Nov 14 12:19:49 gaia02 login: pam_access(login:account): string_match: tok=LOCAL, item=tty4 Nov 14 12:19:49 gaia02 login: pam_access(login:account): from_match=1, "tty4" Nov 14 12:19:49 gaia02 login: pam_unix(login:session): session opened for user root by LOGIN(uid=0) Nov 14 12:19:49 gaia02 login: ROOT LOGIN ON tty4
As I said above - it is really about repeated getaddrinfo timeouting and it was fixed or at least improved in the more recent upstream releases of Linux-PAM. We could backport the changes if pam gets on list of packages for next update release.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2014-1579.html