Bug 99470 - When using pam_ldap, you got this error "check pass; user unknown"
When using pam_ldap, you got this error "check pass; user unknown"
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: authconfig (Show other bugs)
9
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Tomas Mraz
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2003-07-20 15:19 EDT by Oliver Schulze L.
Modified: 2007-04-18 12:55 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-15 04:39:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Oliver Schulze L. 2003-07-20 15:19:17 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4b)
Gecko/20030516 Mozilla Firebird/0.6

Description of problem:
If you are using nss_ldap and pam_ldap, and in authconfig select to use LDAP as
authentication, this lines are configured in /etc/pam.d/system-auth:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

This makes to first try to authenticate a user againts /etc/passwd and you got
the error.
Instead, authconfig should configure /etc/pam.d/system-auth like this:
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_ldap.so 
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so



Version-Release number of selected component (if applicable):
authconfig-4.3.4-1

How reproducible:
Always

Steps to Reproduce:
1. Configure to authenticate against LDAP in authconfig
2. login as a user that is in the LDAP user DB    

Actual Results:  You got this entry in /var/log/messages:
Jul 20 15:04:49 server pop(pam_unix)[27864]: check pass; user unknown
Jul 20 15:04:49 server pop(pam_unix)[27864]: authentication failure; logname=
uid=0 euid=0 tty= ruser= rhost=
Jul 20 15:04:49 server ipop3d[27864]: Login user=user1
host=host.example.com[192.168.210.3] nmsgs=1/1
Jul 20 15:04:50 server ipop3d[27864]: Logout user=user1 host=host.example.com
[192.168.210.3] nmsgs=0 ndele=1


Additional info:

You get this 2 lines for every login attempt using any service: login, pop3,
imap, ssh, etc
Jul 20 15:04:49 server (pam_unix)[27864]: check pass; user unknown
Jul 20 15:04:49 server (pam_unix)[27864]: authentication failure; 

Which overload syslog, cause an innecesary delay and waste disk space.
Comment 1 Oliver Schulze L. 2003-09-06 13:45:16 EDT
Also, please note that when using current authconfig settings, imap y pop3
daemons log its messages in /var/log/messages. But, after aplying my patch, they
log the messages in /var/log/maillog.

These 2 lines are the messages logged now in /var/log/maillog:
Jul 20 15:04:49 server ipop3d[27864]: Login user=user1
host=host.example.com[192.168.210.3] nmsgs=1/1
Jul 20 15:04:50 server ipop3d[27864]: Logout user=user1 host=host.example.com
[192.168.210.3] nmsgs=0 ndele=1

I think that loggin in /var/log/maillog is the desired behavior for imap y pop3
(both from wu-imap package)
Comment 2 Tomas Mraz 2004-12-15 04:39:06 EST
This is WONTFIX as:

1. The module pam_unix can't be removed from system-auth since it
would completely disable the local logins (root for example) the
syslogging can't be switched off because these messages are valid in
case there is no other auth pam module in the system-auth and the
pam_unix module can't know if it's the only module in the auth stack.

2. The logging of imap, pop3 in messages is a bug but it's a bug of
wu-imap package because it should reopen syslog after calling pam.
There is no way how to do it right in pam. Other possibility would be
not to openlog in pam_unix but this could be problematic in other
situations.


Note You need to log in before you can comment on or make changes to this bug.