Package: libpam-unix2
Version: 1.25-1
Severity: important

I have strange problem with pam_unix2.  I have looked at documentation
and searched google, but I can't figure out what's wrong.

I am setting up a server where I use ldap for authentication.
The root account is not in ldap, so it will be possible to log in
even if I get trouble with the ldap server.

I also need a uid=0 account available in ldap though,
samba need this.

And this is the problem.  I can log in as any
ldap user - except the one with uidNumber=0. That user is named
Administrator.

I believe there is nothing wrong with the Administrator account,
if I change its uidNumber to soemthing else - such as 1, then
logging in (using "login" or "su") works. Change the
uidNumber back to 0 - and suddenly the password is invalid. Very
strange.

Also, this cannot be a case of /etc/securetty or other protection against
privileged users, for I can log in as "root" with no problems
at all.  But "root" exists in /etc/passwd, so "root" doesn't have
the extra sambaAccount fields that samba needs.  That is only available
in ldap, but logging in with uidNumber=0 using ldap is impossible.

I tried removing the normal root account, to see if the problem
had something to do with duplicate users.  This did not help at all.

Am I missing something, is there a trivial config option that makes
this work? Or have I found a bug?

Some auth.log traces:

"su root" from a user account succeeds:
Mar 26 12:53:44 buanserver su[11663]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:53:44 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_authenticate: 
PAM_SUCCESS
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_acct_mgmt() called
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: expire() returned with 0
Mar 26 12:53:46 buanserver su[11663]: Successful su for root by helge
Mar 26 12:53:46 buanserver su[11663]: + pts/2 helge:root
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred() called
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred: PAM_SUCCESS

"su Administrator" from a user account rejected (I used the correct passwd)
Mar 26 12:54:26 buanserver su[11672]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:54:26 buanserver su[11672]: pam_unix2: username=[Administrator]
Mar 26 12:54:30 buanserver su[11672]: pam_unix2: wrong password, return 
PAM_AUTH_ERR
Mar 26 12:54:30 buanserver su[11672]: pam_authenticate: Authentication failure
Mar 26 12:54:30 buanserver su[11672]: FAILED su for Administrator by helge
Mar 26 12:54:30 buanserver su[11672]: - pts/2 helge:Administrator

"su Administrator" from a user account works when Administrator is
modified to use a uidNumber other than 0:
Mar 26 12:30:49 buanserver su[11603]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:30:49 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:55 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_authenticate() 
returned 0
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_acct_mgmt() called
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_acct_mgmt() 
returned 0
Mar 26 12:30:56 buanserver su[11603]: Successful su for Administrator by joe
Mar 26 12:30:56 buanserver su[11603]: + pts/0 joe:Administrator
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred() called
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_setcred() 
returned 0
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred: PAM_SUCCESS

Deliberately using a wrong password for "Administrator" when the uid is not 0:
Mar 26 13:27:09 buanserver su[11780]: pam_unix2: pam_sm_authenticate() called
Mar 26 13:27:09 buanserver su[11780]: pam_unix2: username=[Administrator]
Mar 26 13:27:13 buanserver su[11780]: pam_ldap: error trying to bind as user 
"uid=Administrator,ou=People,dc=buan" (Invalid credentials)
Mar 26 13:27:13 buanserver su[11780]: pam_unix2: pam_ldap/pam_sm_authenticate() 
returned 7
Mar 26 13:27:13 buanserver su[11780]: pam_unix2: wrong password, return 
PAM_AUTH_ERR
Mar 26 13:27:13 buanserver su[11780]: pam_authenticate: Authentication failure
Mar 26 13:27:13 buanserver su[11780]: FAILED su for Administrator by helge
Mar 26 13:27:13 buanserver su[11780]: - pts/5 helge:Administrator

Here we see that the wrong password was rejected by ldap

Now, lets change the administrator uid back to 0 and try a wrong
password:
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: pam_sm_authenticate() called
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: username=[Administrator]
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: wrong password, return 
PAM_AUTH_ERR
Mar 26 13:31:28 buanserver su[11792]: pam_authenticate: Authentication failure
Mar 26 13:31:28 buanserver su[11792]: FAILED su for Administrator by helge
Mar 26 13:31:29 buanserver su[11792]: - pts/5 helge:Administrator

Hmm - ldap was not consulted at all. This is exactly the same kind
of log I get with a wrong password for "root".

Let me guess:
pam_unix2 looks up the uid for Administrator, and see that it is 0.
And then pam_unix2.so decides that there is no need to consult ldap
when the uid=0 ???
A wrong assumption that uid=0 can only exist in /etc/passwd ??? 

This is a regression, this used to work a couple of years ago.

Helge Hafting

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (900, 'testing'), (800, 'unstable'), (800, 'stable'), (700, 
'experimental')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-mm2
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)

Versions of packages libpam-unix2 depends on:
ii  libc6                         2.3.6-3    GNU C Library: Shared libraries an
ii  libpam0g                      0.79-3.1   Pluggable Authentication Modules l
ii  libxcrypt1                    2.3-1      Crypt library for DES, MD5, and bl

libpam-unix2 recommends no packages.

-- no debconf information


-- 
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

Reply via email to