Bug 115399 - ssh fails with pam_ldap and su segfaults
ssh fails with pam_ldap and su segfaults
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: pam (Show other bugs)
3.0
i686 Linux
medium Severity high
: ---
: ---
Assigned To: Tomas Mraz
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-02-11 17:12 EST by John McCoy
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-11-16 13:30:57 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
strace capture for su segmentation fault for ldap user (84.27 KB, text/plain)
2004-07-19 09:48 EDT, Jason Sauve
no flags Details

  None (edit)
Description John McCoy 2004-02-11 17:12:11 EST
Description of problem:
When configured for LDAP authentication users can not login without an
entry in /etc/passwd. Telnet works fine but the id command fails too.

Version-Release number of selected component (if applicable):
openldap-2.0.27-11
nss_ldap-207-5
openldap-clients-2.0.27-11
pam-0.75-51

How reproducible:
Everytime between my 2 RHEL 3 systems

Steps to Reproduce:
1.authconfig -- set both tabs for ldap
2.modify /etc/ssh/sshd_conf -- PAMAuthenticationViaKbdInt yes
3. Connect via ssh as LDAP (non-local) user
  
Actual results:
[root@entropy2 root]# ssh jmccoy@cms-test.mills.edu
jmccoy@cms-test.mills.edu's password: 
Connection to cms-test.mills.edu closed by remote host.
Connection to cms-test.mills.edu closed.

and

[root@cms-test pam.d]# su - jmccoy
Segmentation fault

Expected results:
Login and a shell

Additional info:
Feb 11 14:12:39 cms-test sshd[15319]: Accepted password for jmccoy
from 144.91.44.121 port 32815 ssh2
Feb 11 14:12:39 cms-test pam_console[15321]: user is "jmccoy"
Feb 11 14:12:39 cms-test pam_console[15321]: getpwnam failed for jmccoy
Feb 11 14:12:39 cms-test pam_console[15321]: parsing config file
/etc/security/console.perms
Feb 11 14:12:39 cms-test pam_console[15321]: check console /dev/pts/6
Feb 11 14:12:39 cms-test pam_console[15321]: checking possible console
"/dev/pts/6"
Feb 11 14:12:39 cms-test pam_console[15321]: console /dev/pts/6 is a
character device
Feb 11 14:12:39 cms-test pam_console[15321]: did not find console
/dev/pts/6
Feb 11 14:12:39 cms-test sshd[15321]: fatal: PAM session setup
failed[14]: Cannot make/remove an entry for the specified session
Comment 1 John McCoy 2004-02-11 17:18:42 EST
sshd:
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so debug

system-auth:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_unix.so

/etc/ldap.conf:
host 144.91.XXX.XXX
base dc=mills,dc=edu
rootbinddn cn=ldaprootuser,dc=mills,dc=edu
timelimit 30
bind_timelimit 30
pam_min_uid 200
nss_base_passwd ou=People,dc=mills,dc=edu?one
nss_base_shadow ou=People,dc=mills,dc=edu?one
nss_base_group          ou=Group,dc=mills,dc=edu?one
nss_base_hosts          ou=Hosts,dc=mills,dc=edu?one
ssl no
pam_password md5

slapd.conf:
access to dn="" by * read
access to *
        by self read
        by users read
        by anonymous auth
database        ldbm
suffix          "dc=mills,dc=edu"
rootdn          "cn=ldaprootuser,dc=mills,dc=edu"
rootpw          MY-PRESIOUS
directory       /var/lib/ldap
index   objectClass,uid,uidNumber,gidNumber,memberUid   eq
index   cn,mail,surname,givenname                       eq,subinitial
Comment 2 John McCoy 2004-02-12 13:03:18 EST
By setting up the proxyuser with read access ssh now works and root
can su to other users but a regular user can not su to root. No
segfault and  /var/log/messages reports a session opened and then
closed for root by user. I have never seen in the redhat documents the
need to set up the proxyuser, only only found this in mandrakes docs. 

/etc/ldap.conf
binddn cn=proxyuser,dc=mills,dc=edu
bindpw bigsupersecret

/etc/openldap/slapd.conf
access to dn="" by * read
access to *
        by dn="cn=proxyuser,dc=mills,dc=edu" read
        by self read
        by users read
        by anonymous auth
Comment 3 Travis L. Bean 2004-05-21 18:12:23 EDT
On my RHEL 3 server I was also experiencing a segmentation fault when
trying to su to root when using ldap.  I worked around this problem by
adding a pam_ldap.so entry to line #1 in /etc/pam.d/su service file as
shown below:

#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_ldap.so use_first_pass
auth       sufficient   /lib/security/$ISA/pam_rootok.so
auth       required     /lib/security/$ISA/pam_stack.so
service=system-auth
account    required     /lib/security/$ISA/pam_stack.so
service=system-auth
password   required     /lib/security/$ISA/pam_stack.so
service=system-auth
session    required     /lib/security/$ISA/pam_stack.so
service=system-auth
session    optional     /lib/security/$ISA/pam_xauth.so
Comment 4 Jason Sauve 2004-07-16 13:58:18 EDT
I have to confirm that su from any user  account (ldap, or passwd) to 
a ldap user account causes a segfault as well because I was able to 
reproduce the same problem. Never had to modify sshd_config for LDAP 
accounts to be able to login through SSH though.
Comment 5 Jason Sauve 2004-07-19 09:48:12 EDT
Created attachment 102034 [details]
strace capture for su segmentation fault for ldap user
Comment 6 Jason Sauve 2004-07-19 10:10:24 EDT
After examining the strace log and finding the line that read waitpid
(-1, su: cannot set groups: Operation not permitted, it directed me 
to thinking about my AD SFU unix groups. The primary group for my 
LDAP users that I was attempting to su to contained a space, after 
removing the space there was no more segfault using su. 

I dont know if this is the same issue the other guy is having here 

I'm not sure whether this could be considered a bug in su, but spaces 
in group names in the LDAP directory didn't seem to cause problems 
anywhere else.
Comment 7 Craig White 2004-07-23 20:04:03 EDT
Just adding my name to the list in case there's updates - I obviously
am having the same problem.
Comment 8 ktrustin 2004-09-16 11:10:39 EDT
I had the "su - root" segfault problem here (RHES 3.1 with all 
updates on i386). It had been working fine then began to fail a 
couple of weeks ago. Travis Bean's fix, above, made it work again. 
However, I discovered this morning that we had two nscd processes 
running, only one of which could be stopped via the init.d script. I 
killed the "rogue" nscd process, restarted nscd, and the "su - root" 
problem was gone even after I removed Travis Bean's work around from 
PAM. 
Comment 9 Travis L. Bean 2004-09-22 14:27:58 EDT
I discovered that nscd is the problem.  If I run /usr/sbin/authconfig
and choose "Cache Information" (which invokes the nscd process), my
above mentioned workaround for /etc/pam.d/su is needed to prevent a
segmentation fault.  If nscd is never invoked by authconfig then the
/etc/pam.d/su default service file works fine.  
Comment 10 John McCoy 2004-09-22 16:26:13 EDT
Sorry all for not updating our situation in a while but this was only
a problem for our first couple of systems we built up on RHEL 3. I
would say sense this summer su has worked fine. I did discover that
the original box that had this problem had this line in /etc/pam.d/su

auth       sufficient   /lib/security/$ISA/pam_ldap.so use_first_pass
Removing this line fixed all su issues

I also modify in system-auth
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/s
        ecurity/$ISA/pam_ldap.so

to

account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore authinfo_unavail=ignore] /lib/s
        ecurity/$ISA/pam_ldap.so

As it seems to help root login faster when the systems are offline,
root is a local account of course

I think maybe the original authconfig script had some issues that RH
fixed earlier this year.
Note: I do not cache login info but rather run several servers if they
are all down so is DNS so what does auth matter at that point.
Comment 11 Tomas Mraz 2004-11-16 13:30:57 EST
I'm closing this bug as it seems to be OK for the original reporter now.
People who are cced on this, please open new bugs if you still see any
problems with updated RHEL installs.

Note You need to log in before you can comment on or make changes to this bug.