Bug 26449 - a local user login isn't permited
a local user login isn't permited
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: authconfig (Show other bugs)
7.1
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Florence RC-1
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2001-02-07 05:27 EST by Igor
Modified: 2007-04-18 12:31 EDT (History)
1 user (show)

See Also:
Fixed In Version: authconfig-4.4
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-09-13 11:12:13 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
unchanged installed file (870 bytes, text/plain)
2001-02-09 05:41 EST, Igor
no flags Details
unchanged installed file (870 bytes, text/plain)
2001-02-09 05:43 EST, Igor
no flags Details
Original system-auth after authconfig setup for LDAP authentication (1011 bytes, text/plain)
2003-04-23 16:09 EDT, Walter Rowe
no flags Details
Updated system-auth after manually editing file per recommendations in #26449 (1022 bytes, text/plain)
2003-04-23 16:11 EDT, Walter Rowe
no flags Details
Context diff between system-auth.orig and system-auth (1.12 KB, text/plain)
2003-04-23 16:12 EDT, Walter Rowe
no flags Details

  None (edit)
Description Igor 2001-02-07 05:27:29 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)


I try login as local user "root", but login denied.

Reproducible: Always
Steps to Reproduce:
Case 1
1.LDAP client.
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
...
/etc/ldap.conf:
host x.x.x.x
base dc=xxx
ssl start_tls
2.LDAP server is configured, but for example isn't support TLS/SSL,
and I think don't send answer on SSL request.

Case 2
LDAP client.
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
...
/etc/ldap.conf:
#host x.x.x.x
#base dc=xxx
ssl start_tls

	

Actual Results:  access denied

Expected Results:  access permited

It is a client's error. Client primarily must to check exit conditions of 
previous searchings in local files (passwd, shadow).
Then must don't send any requests to server or other actions except permit 
access if exit conditions are SUCCESS.
Comment 1 Glen Foster 2001-02-08 10:52:10 EST
We (Red Hat) should really try to resolve this before next release.
Comment 2 Nalin Dahyabhai 2001-02-08 11:25:25 EST
What are the contents of your /etc/pam.d/system-auth file?  Are there
any messages in /var/log/messages or /var/log/secure related to the
user's access being disallowed?
Comment 3 Igor 2001-02-09 05:41:43 EST
Created attachment 9499 [details]
unchanged installed file
Comment 4 Igor 2001-02-09 05:43:01 EST
Created attachment 9500 [details]
unchanged installed file
Comment 5 Igor 2001-02-09 05:50:41 EST
/var/log/messages and /var/log/secure are empty related the disallowed access.
Comment 6 Nalin Dahyabhai 2001-02-09 16:51:27 EST
Okay, this should be resolved by authconfig-4.1.3, which until it pops up in Raw
Hide (ftp://ftp.redhat.com/pub/rawhide/) will be in
http://people.redhat.com/nalin/test/.

Apply the update, run authconfig (you can leave the settings the same, the
update changed what gets generated), and that should resolve the problem.  If
you find that that doesn't fix it, please reopen this bug ID.

Thanks!
Comment 7 Igor 2001-03-02 05:55:07 EST
Nothing changed. Please, pay attention to useless SSL request.
The same in wolverine.
Comment 8 Nalin Dahyabhai 2001-03-08 18:03:58 EST
Please check if the nss_ldap package in http://people.redhat.com/nalin/test/
properly fails if starting up TLS fails.  It does on my test machine.
Comment 9 Igor 2001-03-19 09:24:54 EST
The same. Client send useless requests (unknown for server). Any login fails.
Comment 10 Igor 2002-02-28 02:17:42 EST
This is a bug in PAM configuration by authconfig.
Original /etc/pam.d/system-auth is:
...
account required /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
...
Must be:
...
account sufficient /lib/security/pam_unix.so
account required /lib/security/pam_ldap.so
...
Comment 11 Walter Rowe 2003-04-23 16:09:59 EDT
Created attachment 91259 [details]
Original system-auth after authconfig setup for LDAP authentication
Comment 12 Walter Rowe 2003-04-23 16:11:06 EDT
Created attachment 91260 [details]
Updated system-auth after manually editing file per recommendations in #26449
Comment 13 Walter Rowe 2003-04-23 16:12:44 EDT
Created attachment 91262 [details]
Context diff between system-auth.orig and system-auth
Comment 14 Walter Rowe 2003-04-23 16:14:43 EDT
The above notes indicate this problem would be resolved by authconfig 4.1.3. Red
Hat 9 with authconfig-4.3.4 still contains this bug.
Comment 15 Walter Rowe 2003-04-24 14:18:22 EDT
There is another problem I have discovered in looking at the system-auth file.
When using authconfig to enable ldap authentication, the "account" line for ldap
is written to the system-auth file in an incorrect format.

The correct format should be:

account     required        /lib/security/$ISA/pam_ldap.so default=bad
success=ok user_unknown=ignore service_err=ignore system_err=ignore

What is written is:

account     required        [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore]         /lib/security/$ISA/pam_ldap.so

This generates the following error message in /var/log/messages:

Apr 24 11:25:57 localhost gdm[2515]: PAM unable to
dlopen(/lib/security/default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore)
Apr 24 11:25:57 localhost gdm[2515]: PAM [dlerror: /lib/security/default=bad
success=ok user_unknown=ignore service_err=ignore system_err=ignore: cannot open
shared object file: No such file or directory]
Apr 24 11:25:57 localhost gdm[2515]: PAM adding faulty module:
/lib/security/default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore

Note You need to log in before you can comment on or make changes to this bug.