Re: pam_group.so
>>>>> "Sam" == Sam Hartman <hartmans@debian.org> writes:
>>>>> "Brian" == Brian May <bam@debian.org> writes:
Brian> How do I debug pam_group.so? -- Brian May <bam@debian.org>
Sam> build pam with debugging symbols. gdb login. Break on the
Sam> call to pam_authenticate. At that point you should have
Sam> pam_group loaded and should be able to break within that
Sam> module. Be sure to disable login's alarm clock to avoid
Sam> getting blown away by sigalrm.
Ok, I found one problem: the tty is tty1, not vc/1 as I originally
thought (need to updated my config files for devfs sometime).
I also found you can compile PAM with -DDEBUG, touch
/tmp/pam-debug.log, and get a lot of debugging output.
I still can't work out why pam_group doesn't work from gdm though, the
log files look OK:
[pam_group.c:check_account(715)] trying to set 3 groups
[pam_group.c:check_account(718)] gid[0]=25
[pam_group.c:check_account(718)] gid[1]=29
[pam_group.c:check_account(718)] gid[2]=24
this corresponds to this code:
if (no_grps > 0) {
int err;
D(("trying to set %d groups", no_grps));
#ifdef DEBUG
for (err=0; err<no_grps; ++err) {
D(("gid[%d]=%d", err, grps[err]));
}
#endif
if ((err = setgroups(no_grps, grps))) {
D(("but couldn't set groups %d", err));
_log_err("unable to set the group membership for user (err=%d)"
, err);
retval = PAM_CRED_ERR;
}
but the groups are not set, nor does that error ever show up.
I suspect this might be something to do with the design of gdm,
perhaps pam_group.so is getting executed by a child process which is
not used after the user is authenticated?
If so, can such a problem get fixed?
--
Brian May <bam@debian.org>
Reply to: