[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-11 Thread Steve Langasek 
I think there's enough information here to show that this is a
configuration error rather than a bug in the libpam-krb5 package;
closing out the report.

** Changed in: libpam-krb5 (Ubuntu)
   Status: New => Invalid

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Caleb 
Hi Philipp,

I've done some experimenting, and this problem does indeed seem to be
related to LDAP access permissions. Thanks for the tip!

I don't want to use LDAP for authentication if I don't have to, but I do
intend to encrypt connections to the directory once I get this worked
out.

Cheers,
-Caleb

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Russ Allbery 
Philipp Kaluza  writes:

>   Depending on your exact Kerberos configuration, if your kerberos
>   passwords are stored in the LDAP server anyhow, you might want to
>   consider pam_ldap for password updates. If you do, make sure TLS or
>   SSL works correctly between the user-facing hosts and the LDAP server.

I feel obligated to say that I would be extremely uncomfortable running
this configuration as opposed to using the Kerberos password change
protocol.  I don't believe there is any advantage to doing it this way and
quite a few disadvantages around making sure that this mechanism is and
stays sufficiently secure.

If you're using Kerberos plus LDAP for nsswitch information, you shouldn't
need to install or use an LDAP PAM module.  You should also never do
authentication via LDAP if you can avoid it; it destroys some of the
security advantages that Kerberos offers.

-- 
Russ Allbery (r...@debian.org)   

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Philipp Kaluza 
in your setup, the shadow information is interpreted by pam_unix (not 
pam_ldap), but, assuming you have no local user, still comes from LDAP (via 
nss_ldap). Please check if your user has the auxiliary objectclass 
shadowAccount configured, and check the associated attributes (specifically 
shadowLastChange, shadowMax and shadowExpire).
  If I had to venture a guess I would say that changing the password via 
kerberos works correctly, but then libnss-ldap does not have enough permissions 
to update shadowLastChange, which fails silently, but causes pam_unix to prompt 
for another password update. Depending on your exact Kerberos configuration, if 
your kerberos passwords are stored in the LDAP server anyhow, you might want to 
consider pam_ldap for password updates. If you do, make sure TLS or SSL works 
correctly between the user-facing hosts and the LDAP server.

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Russ Allbery 
Caleb  writes:

> Thanks for the info. I tried the first configuration you mention, with
> the default account configuration:
>
>   password sufficient pam_krb5.so minimum_uid=1000
>   password required pam_unix.so nullok obscure min=4 max=8 md5
>
> This allows me to login, but prompts me to change my password everytime
> I do so. Here's what comes up in my /var/log/auth.log:

That's unrelated to the password stack.

> Aug 10 12:30:46  su[12545]: pam_unix(su:account): expired
password for user  (password aged)

You need to figure out why the nsswitch configuration for your system is
claiming that the password for that account is expired.

-- 
Russ Allbery (r...@debian.org)   

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Caleb 
Hi Russ,

Thanks for the info. I tried the first configuration you mention, with
the default account configuration:

  password sufficient pam_krb5.so minimum_uid=1000
  password required pam_unix.so nullok obscure min=4 max=8 md5

This allows me to login, but prompts me to change my password everytime
I do so. Here's what comes up in my /var/log/auth.log:

Aug 10 12:30:46  su[12545]: pam_unix(su:account): expired password for 
user  (password aged)
Aug 10 12:30:53  su[12545]: Successful su for  by 

Here's my nsswitch.conf file. Is this configuration incorrect?

$ cat /etc/nsswitch.conf 
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: compat ldap
group:  compat ldap
shadow: compat ldap

hosts:  dns files mdns4_minimal [NOTFOUND=return] mdns4
networks:   files

protocols:  db files
services:   db files
ethers: db files
rpc:db files

netgroup:   nis

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Russ Allbery 
Caleb  writes:

> I believe I may have been unclear:  doesn't exist on the local
> system. The account information for  exists *only* in LDAP
> directory. Therefore, I do not know of anyway to fix the unix password
> entry, since it does not exist.

pam_unix should be perfectly fine with a user that exists only in the LDAP
directory if your nsswitch is set up correctly.  I'm not sure why it's
rejecting those accounts.

It looks like the similar case at Stanford uses a bizarre PAM
configuration for the account stack that I don't understand, though, so I
can't give you a working example.

-- 
Russ Allbery (r...@debian.org)   

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

Re: [Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Russ Allbery 
Steve Langasek  writes:

> The use of the 'try_first_pass' argument appears to be reasonable (I'm
> not sure why this isn't part of the recommended default usage of
> pam_krb5 - Russ?),

The example shows both try_first_pass and use_authtok for password, which
is nonsensical.  use_authtok is strictly stronger than try_first_pass in
all respects.  You'll get a warning logged about ignoring try_first_pass
if you use that configuration.

> but doesn't account for why the password change failed in your case
> since pam_krb5 should be the *first* module listed in the password
> stack.

pam_krb5 recommends three possibilities for how to configure the password
stack, depending on how you want to maintain your passwords:

  If your users should normally all use Kerberos passwords exclusively,
  putting something like:

  password sufficient pam_krb5.so minimum_uid=1000
  password required   pam_unix.so nullok obscure min=4 max=8 md5

  in /etc/pam.d/common-password will change users' passwords in Kerberos
  by default and then only fall back on Unix if that doesn't work.  (You
  can make this tighter by using the more complex new-style PAM
  configuration.)  If you instead want to synchronize local and Kerberos
  passwords and change them both at the same time, you can do something
  like:

  password required   pam_unix.so nullok obscure min=4 max=8 md5
  password required   pam_krb5.so use_authtok minimum_uid=1000

  If you have multiple environments that you want to synchronize and you
  don't want password changes to continue if the Kerberos password change
  fails, use the clear_on_fail option.  For example:

  password required   pam_krb5.so clear_on_fail minimum_uid=1000
  password required   pam_unix.so use_authtok obscure md5
  password required   pam_smbpass.so use_authtok

  In this case, if pam_krb5 cannot change the password (due to password
  strength rules on the KDC, for example), it will clear the stored
  password (because of the clear_on_fail option), and since pam_unix and
  pam_smbpass are both configured with use_authtok, they will both fail.
  clear_on_fail is not the default because it would interfere with the
  more common pattern of falling back to local passwords if the user
  doesn't exist in Kerberos.

I don't think there's any way of capturing all of the complexities in the
pam-auth-update system.  I suppose pam-krb5 could provide multiple
different profiles, but I think it would be confusing.

I suppose the first example could usefully use try_first_pass for the
pam_unix (and I should probably get rid of the min/max settings anyway,
particularly the max setting which is completely wrong).  I'll fix the
documentation in the next release.

-- 
Russ Allbery (r...@debian.org)   

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Caleb 
Thanks for your attention and prompt response.

I believe I may have been unclear:  doesn't exist on the local
system. The account information for  exists *only* in LDAP
directory. Therefore, I do not know of anyway to fix the unix password
entry, since it does not exist.

The pam_krb5 module is indeed listed first in the *password* stack under
the default configuration, but it is listed *last* in the *account*
stack, and I believe this is what causes the problem. Here's my
/etc/pam.d/common-account in the default configuration:

#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system.  The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
# As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
# To take advantage of this, it is recommended that you configure any
# local modules either before or after the default block, and use
# pam-auth-update to manage selection of other modules.  See
# pam-auth-update(8) for details.
#

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore]pam_unix.so 
# here's the fallback if no module succeeds
account requisite   pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account requiredpam_permit.so
# and here are more per-package modules (the "Additional" block)
account requiredpam_krb5.so minimum_uid=1000
# end of pam-auth-update config

Moving the krb5 module to the head of the account stack is what fixes my
issue.

I believe the try_first_pass is optional (leftovers from debugging
attempts) when the krb5 module is at the head of the account stack.

For your convenience, I've attached a diff of between my customised krb5
pam-auth-update config file, and the default one.

I believe there may be a preferrable alternative to using the
"sufficient" keyword, probably using [success=x] arguments, but I
haven't yet figured that out.

Many thanks,
-Caleb

** Attachment added: "krb5.diff"
   http://launchpadlibrarian.net/30117983/krb5.diff

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-10 Thread Steve Langasek 
Thank you for taking the time to report this bug and help to improve
Ubuntu.

The provided file is incorrect and will not be applied.  It is by design
that users must pass both the pam_unix and pam_krb5 checks in order to
be authorized; the straightforward fix for your problem is to fix your
unix password entry so that the password is not expired.

The use of the 'try_first_pass' argument appears to be reasonable (I'm
not sure why this isn't part of the recommended default usage of
pam_krb5 - Russ?), but doesn't account for why the password change
failed in your case since pam_krb5 should be the *first* module listed
in the password stack.

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 411249] Re: libpam-krb5 default configuration does not allow login for LDAP users

2009-08-09 Thread Caleb 

** Attachment added: "krb5"
   http://launchpadlibrarian.net/30096923/krb5

-- 
libpam-krb5 default configuration does not allow login for LDAP users
https://bugs.launchpad.net/bugs/411249
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs