Bug 89592 - authconfig formats LDAP account entry wrong in /etc/pam.d/system-auth
authconfig formats LDAP account entry wrong in /etc/pam.d/system-auth
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux Beta
Classification: Retired
Component: authconfig (Show other bugs)
beta1
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-04-24 14:42 EDT by Walter Rowe
Modified: 2007-04-18 12:53 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-15 03:43:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Walter Rowe 2003-04-24 14:42:30 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.2.1) Gecko/20030225

Description of problem:
authconfig generates the following output:

account     required        [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

It should generate the following output:

account     required        /lib/security/$ISA/pam_ldap.so default=bad
success=ok user_unknown=ignore service_err=ignore system_err=ignore

The improper format above produces the following error messages in
/var/log/messages when logging in via GDM.

Apr 24 11:25:57 localhost gdm[2515]: PAM unable to
dlopen(/lib/security/default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore)
Apr 24 11:25:57 localhost gdm[2515]: PAM [dlerror: /lib/security/default=bad
success=ok user_unknown=ignore service_err=ignore system_err=ignore: cannot open
shared object file: No such file or directory]
Apr 24 11:25:57 localhost gdm[2515]: PAM adding faulty module:
/lib/security/default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore



Version-Release number of selected component (if applicable):
authconfig-4.3.4

How reproducible:
Always

Steps to Reproduce:
1. run authconfig
2. turn on LDAP authentication on both screens
3. reboot
4. log in using any user ID (local or LDAP)
5. check /var/log/messages


Actual Results:  Apr 24 11:25:57 localhost gdm[2515]: PAM unable to
dlopen(/lib/security/default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore)
Apr 24 11:25:57 localhost gdm[2515]: PAM [dlerror: /lib/security/default=bad
success=ok user_unknown=ignore service_err=ignore system_err=ignore: cannot open
shared object file: No such file or directory]
Apr 24 11:25:57 localhost gdm[2515]: PAM adding faulty module:
/lib/security/default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore


Expected Results:  expect no error messages in /var/log/messages


Additional info:
Comment 1 Walter Rowe 2003-04-28 11:23:00 EDT
The man page for "pam" explicitly says the following (which does not match the
behaviour of the PAM system shown above):

       service  type  control  module-path  module-arguments

       The  third field, control, indicates the behavior of the PAM-API should
       the module fail to succeed in its authentication task.  There  are  two
       types  of  syntax  for  this control field: the simple one has a single
       simple keyword; the more complicated one  involves  a  square-bracketed
       selection of value=action pairs.
                                                                                
       For  the simple (historical) syntax valid control values are: requisite
       - failure of such a PAM results in the  immediate  termination  of  the
       authentication  process;  required  -  failure of such a PAM will ulti-
       mately lead to the PAM-API returning failure but only after the remain-
       ing stacked modules (for this service and type) have been invoked; suf-
       ficient - success of such a module is enough to satisfy the authentica-
       tion  requirements  of the stack of modules (if a prior required module
       has failed the success of this one is ignored); optional - the  success
       or failure of this module is only important if it is the only module in
       the stack associated with this service+type.
                                                                                
       For the more complicated syntax valid control values have the following
       form:
                                                                                
       [value1=action1value2=action2...]

When the complicated syntax is placed in /etc/pam.d/system-auth when I turn on
LDAP authentication using "authconfig", PAM complains that it cannot open the
module "/lib/security/default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore".
Comment 2 redbugs 2003-07-10 16:54:26 EDT
Looks to me like format should be 

account  [default=bad success=ok user_unknown=ignore service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so

The keyword "required" in your example should NOT be there - the
square-bracketed portion of the above line replaces the old-style "required"
keyword.

The segment of man page you posted is referring to the single pam.conf file
method of configuration, where each service is listed in a single file.  Red Hat
uses the more powerful and flexible multi-file pam.d method, where each service
has its' own file named for the service and the syntax you quoted should be
left-shifted to remove the first argument (service name).

Switches following the module specification are module-specific (like the nullok
and authtoken switches, for example) while the square-bracketed stuff works for
any module since it governs the interpretation of the module's return values,
not the actual behaviour of the module.

Hope this helps.  And I hope Red Hat fixes the bug, too.
Comment 3 Walter Rowe 2003-07-22 09:08:05 EDT
The man page I extracted from was the RedHat 9 man page. Also, I tried the
format you suggested and it did not work. Read my entire second message and you
will see that I already noted that I had tried that and it was unsuccessful. How
about trying it out and seeing for yourself!
Comment 4 redbugs 2003-09-08 09:44:35 EDT
Read the WHOLE man page, not just the section you posted above.  That part you
posted is for a single /etc/pam.conf file, not for a /etc/pam.d/* file set!

I'm running the configuration I posted on *three* RH9 machines without
problems... I tested it before I posted, in fact.  Two of those machines are
fairly mission-critical.

But I don't use GDM, since I rarely run Xwindows.  X is too bloated and
unreliable for any of my production boxes.  So I can't reproduce your error
messages anyway.

Maybe if you re-read my earlier post while counting the fields in your
/etc/pam.d/system-auth you will notice something...

Note You need to log in before you can comment on or make changes to this bug.