Your message dated Fri, 18 Jun 2010 23:20:30 +0200
with message-id <[email protected]>
and subject line Re: Bug#586331: /etc/pam.d/common-account should have
pam_permit at the end
has caused the Debian Bug report #586331,
regarding /etc/pam.d/common-account should have pam_permit at the end
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
586331: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=586331
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Subject: /etc/pam.d/common-account should have pam_permit at the end
Package: libpam-runtime
Version: 1.1.1-3
Severity: important
I believe the default /etc/pam.d/common-account should have a pam_permit
after the "Additional" section (just like with the "Primary"). Without
that, if I put pam_ldap in the additional section and it returns an
error (even if it is being ignored) I get an error message on login for
non-LDAP accounts:
# su -s /bin/sh - backup
su: Permission denied
(Ignored)
$
I now have this pam_ldap line in the "Additional" section
in /etc/pam.d/common-account:
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
The error code from pam_ldap is ignored for the calculation of the
result of the stack but the last error code is still returned to the
application.
A better solution IMHO is to not differentiate between the "Primary" and
"Additional" sections for account (see #583492 for that) but this at
least will allow me to move pam_ldap to additional.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.34-1-686 (SMP w/2 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-runtime depends on:
ii debconf 1.5.32 Debian configuration management sy
ii libpam-modules 1.1.1-3 Pluggable Authentication Modules f
libpam-runtime recommends no packages.
libpam-runtime suggests no packages.
-- debconf information:
libpam-runtime/override: false
libpam-runtime/conflicts:
libpam-runtime/no_profiles_chosen:
* libpam-runtime/profiles: unix, ldap, gnome-keyring, consolekit
libpam-runtime/you-had-no-auth:
--
-- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
--- End Message ---
--- Begin Message ---
On Fri, 2010-06-18 at 13:37 -0700, Steve Langasek wrote:
> Are you sure about this? That's not how libpam is defined to handle
> 'ignore', and if that's really happening, that's a bug in libpam - not in
> libpam-runtime. Can I see your full /etc/pam.d/common-account for this
> setup, and can you show me debugging output showing that pam_ldap is
> returning the expected value?
Oops, while double-checking my common-account file it seems that while
debugging I commented out the default pam_deny after the primary block.
Sorry for the noise.
--
-- arthur - [email protected] - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
--- End Message ---
