Bug#695962: marked as done (radicale system user can't use PAM auth)

Debian Bug Tracking System Thu, 08 May 2014 07:46:34 -0700

Your message dated Thu, 08 May 2014 16:44:59 +0200
with message-id <[email protected]>
and subject line Re: Bug#695962: radicale system user can't use PAM auth
has caused the Debian Bug report #695962,
regarding radicale system user can't use PAM auth
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
695962: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=695962
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: radicale
Version: 0.7-1
Severity: normal

When trying to use PAM auth, radicale user seems to not being allowed to talk 
to pam.
Errors in /var/log/auth.log :

Dec 14 21:59:42 myhost unix_chkpwd[4854]: check pass; user unknown
Dec 14 21:59:42 myhost unix_chkpwd[4854]: password check failed for user (steve)
Dec 14 21:59:42 myhost python: pam_unix(login:auth): authentication failure; 
logname=root uid=118 euid=118 tty= ruser= rhost=  user=steve
Dec 14 21:59:42 myhost python: pam_winbind(login:auth): getting password 
(0x00000388)
Dec 14 21:59:42 myhost python: pam_winbind(login:auth): pam_get_item returned a 
password
Dec 14 21:59:42 myhost python: pam_winbind(login:auth): request wbcLogonUser 
failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: 
NT_STATUS_NO_SUCH_USER, Error message was: No such user

The workaround is to had radicale system user to the shadow system group.
usermod -G shadow radicale


-- System Information:
Debian Release: 6.0.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: armel (armv5tel)

Kernel: Linux 2.6.32-5-kirkwood
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages radicale depends on:
ii  adduser                 3.112+nmu2       add and remove users and groups
ii  python                  2.6.6-3+squeeze7 interactive high-level object-orie
ii  python-radicale         0.3-2            simple calendar server - module

radicale recommends no packages.

Versions of packages radicale suggests:
ii  apache2-utils          2.2.16-6+squeeze7 utility programs for webservers
pn  courier-authdaemon     <none>            (no description available)
ii  python-ldap            2.3.11-1          LDAP interface module for Python
ii  python-pam             0.4.2-13          Python interface to the PAM librar

-- Configuration Files:
/etc/default/radicale changed:
ENABLE_RADICALE=yes
RADICALE_OPTS="--daemon"
VERBOSE=yes

/etc/radicale/config changed:
[server]
[encoding]
[acl]
type = PAM
pam_group_membership = users
[storage]
filesystem_folder = /var/lib/radicale/collections
[logging]
debug = false


-- no debconf information

--- End Message ---

--- Begin Message ---

Hi Fabien,

Quoting Fabien Michel (2012-12-14 23:13:01)
> When trying to use PAM auth, radicale user seems to not being allowed 
> to talk to pam.
> Errors in /var/log/auth.log :
> 
> Dec 14 21:59:42 myhost unix_chkpwd[4854]: check pass; user unknown
> Dec 14 21:59:42 myhost unix_chkpwd[4854]: password check failed for user 
> (steve)
> Dec 14 21:59:42 myhost python: pam_unix(login:auth): authentication failure; 
> logname=root uid=118 euid=118 tty= ruser= rhost=  user=steve
> Dec 14 21:59:42 myhost python: pam_winbind(login:auth): getting password 
> (0x00000388)
> Dec 14 21:59:42 myhost python: pam_winbind(login:auth): pam_get_item returned 
> a password
> Dec 14 21:59:42 myhost python: pam_winbind(login:auth): request wbcLogonUser 
> failed: WBC_ERR_AUTH_ERROR, PAM error: PAM_USER_UNKNOWN (10), NTSTATUS: 
> NT_STATUS_NO_SUCH_USER, Error message was: No such user
> 
> The workaround is to had radicale system user to the shadow system group.
> usermod -G shadow radicale

Please do *NOT* add any users to shadow group without fully 
understanding the consequences!!!

Your reporting bugs is appreciated.  This one, however, is not really a 
bug, but a deliberate design of shadow passwords, which is default 
backend for PAM in Debian systems.

The proper fix is to switch to a different backend than shadow passwords 
when using the PAM interface, or to use (i.e. create) an alternative 
interface that uses PAM only indirectly, through a carefully 
security-audited tiny piece of code which is granted direct access to 
the shadow files.

Indirect access to PAM could be implemented using SASL or pwauth.

Examples of non-PAM access to shadow data is imap and poppassd - 
together with appropriate other pieces...

Closing as a non-bug.  Thanks anyway,


 - Jonas

-- 
 * Jonas Smedegaard - idealist & Internet-arkitekt
 * Tlf.: +45 40843136  Website: http://dr.jones.dk/

 [x] quote me freely  [ ] ask before reusing  [ ] keep private

signature.asc
Description: signature

--- End Message ---

Bug#695962: marked as done (radicale system user can't use PAM auth)

Reply via email to