Package: libpam-unix2 Version: 1.25-1 Severity: important
I have strange problem with pam_unix2. I have looked at documentation and searched google, but I can't figure out what's wrong. I am setting up a server where I use ldap for authentication. The root account is not in ldap, so it will be possible to log in even if I get trouble with the ldap server. I also need a uid=0 account available in ldap though, samba need this. And this is the problem. I can log in as any ldap user - except the one with uidNumber=0. That user is named Administrator. I believe there is nothing wrong with the Administrator account, if I change its uidNumber to soemthing else - such as 1, then logging in (using "login" or "su") works. Change the uidNumber back to 0 - and suddenly the password is invalid. Very strange. Also, this cannot be a case of /etc/securetty or other protection against privileged users, for I can log in as "root" with no problems at all. But "root" exists in /etc/passwd, so "root" doesn't have the extra sambaAccount fields that samba needs. That is only available in ldap, but logging in with uidNumber=0 using ldap is impossible. I tried removing the normal root account, to see if the problem had something to do with duplicate users. This did not help at all. Am I missing something, is there a trivial config option that makes this work? Or have I found a bug? Some auth.log traces: "su root" from a user account succeeds: Mar 26 12:53:44 buanserver su[11663]: pam_unix2: pam_sm_authenticate() called Mar 26 12:53:44 buanserver su[11663]: pam_unix2: username=[root] Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_authenticate: PAM_SUCCESS Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_acct_mgmt() called Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root] Mar 26 12:53:46 buanserver su[11663]: pam_unix2: expire() returned with 0 Mar 26 12:53:46 buanserver su[11663]: Successful su for root by helge Mar 26 12:53:46 buanserver su[11663]: + pts/2 helge:root Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred() called Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root] Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred: PAM_SUCCESS "su Administrator" from a user account rejected (I used the correct passwd) Mar 26 12:54:26 buanserver su[11672]: pam_unix2: pam_sm_authenticate() called Mar 26 12:54:26 buanserver su[11672]: pam_unix2: username=[Administrator] Mar 26 12:54:30 buanserver su[11672]: pam_unix2: wrong password, return PAM_AUTH_ERR Mar 26 12:54:30 buanserver su[11672]: pam_authenticate: Authentication failure Mar 26 12:54:30 buanserver su[11672]: FAILED su for Administrator by helge Mar 26 12:54:30 buanserver su[11672]: - pts/2 helge:Administrator "su Administrator" from a user account works when Administrator is modified to use a uidNumber other than 0: Mar 26 12:30:49 buanserver su[11603]: pam_unix2: pam_sm_authenticate() called Mar 26 12:30:49 buanserver su[11603]: pam_unix2: username=[Administrator] Mar 26 12:30:55 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_authenticate() returned 0 Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_acct_mgmt() called Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator] Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_acct_mgmt() returned 0 Mar 26 12:30:56 buanserver su[11603]: Successful su for Administrator by joe Mar 26 12:30:56 buanserver su[11603]: + pts/0 joe:Administrator Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred() called Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator] Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_setcred() returned 0 Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred: PAM_SUCCESS Deliberately using a wrong password for "Administrator" when the uid is not 0: Mar 26 13:27:09 buanserver su[11780]: pam_unix2: pam_sm_authenticate() called Mar 26 13:27:09 buanserver su[11780]: pam_unix2: username=[Administrator] Mar 26 13:27:13 buanserver su[11780]: pam_ldap: error trying to bind as user "uid=Administrator,ou=People,dc=buan" (Invalid credentials) Mar 26 13:27:13 buanserver su[11780]: pam_unix2: pam_ldap/pam_sm_authenticate() returned 7 Mar 26 13:27:13 buanserver su[11780]: pam_unix2: wrong password, return PAM_AUTH_ERR Mar 26 13:27:13 buanserver su[11780]: pam_authenticate: Authentication failure Mar 26 13:27:13 buanserver su[11780]: FAILED su for Administrator by helge Mar 26 13:27:13 buanserver su[11780]: - pts/5 helge:Administrator Here we see that the wrong password was rejected by ldap Now, lets change the administrator uid back to 0 and try a wrong password: Mar 26 13:31:28 buanserver su[11792]: pam_unix2: pam_sm_authenticate() called Mar 26 13:31:28 buanserver su[11792]: pam_unix2: username=[Administrator] Mar 26 13:31:28 buanserver su[11792]: pam_unix2: wrong password, return PAM_AUTH_ERR Mar 26 13:31:28 buanserver su[11792]: pam_authenticate: Authentication failure Mar 26 13:31:28 buanserver su[11792]: FAILED su for Administrator by helge Mar 26 13:31:29 buanserver su[11792]: - pts/5 helge:Administrator Hmm - ldap was not consulted at all. This is exactly the same kind of log I get with a wrong password for "root". Let me guess: pam_unix2 looks up the uid for Administrator, and see that it is 0. And then pam_unix2.so decides that there is no need to consult ldap when the uid=0 ??? A wrong assumption that uid=0 can only exist in /etc/passwd ??? This is a regression, this used to work a couple of years ago. Helge Hafting -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (900, 'testing'), (800, 'unstable'), (800, 'stable'), (700, 'experimental') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.16-mm2 Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8) Versions of packages libpam-unix2 depends on: ii libc6 2.3.6-3 GNU C Library: Shared libraries an ii libpam0g 0.79-3.1 Pluggable Authentication Modules l ii libxcrypt1 2.3-1 Crypt library for DES, MD5, and bl libpam-unix2 recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]

