Re: libnss-ldap breaks gdm and screen saver?
>>>>> "Sam" == Sam Hartman <hartmans@mit.edu> writes:
>>>>> "Brian" == Brian May <bam@debian.org> writes:
>>>>> "Matt" == Matt Zimmerman <mdz@debian.org> writes:
Matt> A quick look at the source will show that that is not true.
Matt> Both gdm and xscreensaver use PAM (you said so about
Matt> xscreensaver yourself). If non-PAM programs work OK, the
Matt> problem probably has something to do with PAM. Check
Brian> No, this is a problem with NSS support, not PAM support.
Sam> What credentials are you using to bind to openldap? Are you
Sam> using GSSAPI SASL? If so you may not be able to read the
Sam> keytab as non-root.
No. I am not using openldap for authentication, only UID information.
I tried using pam_unix.so, so I would be doing everything using the
standard shadow system. Instead of finding user information in
/etc/passwd, it is found in LDAP. Passwords are found in /etc/shadow.
gdm doesn't work. login does. ssh works. telnet works. xscreensaver
now works to (although it didn't last time I tested it).
The change?
Before (everything works):
[503] [snoopy:bam] ~ >grep bam /etc/passwd
bam:x:1003:100:Brian May,N/A,E-Mail,E-Mail:/home/bam:/usr/bin/zsh
After (breaks gdm):
[503] [snoopy:bam] ~ >grep bam /etc/passwd
(returns nothing)
The NSS functions work fine, as they use the LDAP database:
[501] [snoopy:bam] ~ >perl -e 'print join("-",getpwnam("bam")),"\n";'
bam-x-1003-100---Brian May,N/A,E-Mail,E-Mail-/home/bam-/usr/bin/zsh
[502] [snoopy:bam] ~ >perl -e 'print join("-",getpwuid(1003)),"\n";'
bam-x-1003-100---Brian May,N/A,E-Mail,E-Mail-/home/bam-/usr/bin/zsh
(getpwent works fine too, but not shown here)
however, my conclusion that gdm directly accesses /etc/passwd seems
to be wrong:
snoopy:~# strings /usr/bin/gdm* | grep -E "passwd|getpw"
getpwuid
getpwnam
gdm_slave_session_start: User passed authentication but getpwnam(%s) failed. Spooky!
getpwent
---- pam_unix.so ----
After using pam_unix.so, I get the following error in /etc/auth.log:
snoopy PAM_unix[25147]: check pass; user unknown
snoopy PAM_unix[25147]: authentication failure; (uid=0) -> **unknown** for gdm s
snoopy gdm[25147]: Couldn't authenticate bam
(uid==0 unknown????? I was logging in with user="bam", and
[504] [snoopy:bam] ~ >grep root /etc/passwd
root:x:0:0:root:/root:/bin/bash
is in /etc/passwd anyway)
Is it ok to assume that pam_unix.so does not directly access
/etc/passwd and/or NIS despite these suspicious strings embedded in
the library?
snoopy:~# strings /lib/security/pam_unix.so | grep -E "passwd|getpw"
_unix_blankpasswd
getpwnam
fgetpwent
xdr_yppasswd
xdr_xpasswd
could not identify user (from getpwnam(%s))
passwd.byname
yppasswdd not running on NIS master host
yppasswd daemon running on illegal port.
/etc/security/opasswd
/etc/security/nopasswd
/etc/npasswd
/etc/passwd
I am currently down loading libpam-doc, so I will see if that
offers any clues.
---- pam_krb5.so ----
However, pam_krb5.so looks OK:
snoopy:~# strings /lib/security/pam_krb5.so | grep -E "passwd|getpw"
getpwnam
getpwnam()
and it had similar problems (only with gdm; login works fine).
--- final notes ----
(note: I have not been able to reproduce the again problem with
xscreensaver).
--
Brian May <bam@debian.org>
Reply to: