Dear all,
I am trying to set up pgsql-authentication on an etch machine and
even though I have plenty of experience setting up pgsql and ldap
for PAM/nss, this time I am hopeless and close to throwing the
damned machine out the window.
Configuration details are below. As you can see from the following
command, nss seems to work fine for root as well as compat
("/etc/passwd") users, of which 'nobody' is one:
master:~# getent passwd | wc -l
27
master:~# su -c 'getent passwd' nobody | wc -l
27
master:~# getent group | wc -l
51
master:~# su -c 'getent group' nobody | wc -l
51
master:~# ls -l /home
drwx------ 2 krafft clusteradmins 4096 2007-05-18 12:48 krafft
master:~# su -c 'ls -l /home' nobody
drwx------ 2 krafft clusteradmins 4096 2007-05-18 12:48 krafft
krafft and clusteradmins are defined in pgsql and nowhere in
/etc/passwd or /etc/group.
master:~# getent passwd krafft
krafft:x:30000:30000::/home/krafft:/bin/zsh
master:~# getent group clusteradmins
clusteradmins::30000:
It does not work when I su to 'krafft', which is an account defined
in pgsql. Read on.
So far, so good.
Authentication also seems to work, or at least a session is created:
master:~# su krafft
yields:
master su[11068]: Successful su for krafft by root
master su[11068]: + pts/3 root:krafft
master su[11068]: (pam_unix) session opened for user krafft by (uid=0)
However, it does not yield a shell (which is /bin/zsh) and instead
just hangs forever (strace follows further down).
su -s /bin/ls krafft
works, so I hacked up /bin/testshell, and it turns out that commands
like ls -l /home and getent passwd do *not* work for the
pgsql-defined user krafft, but they work fine for root and nobody.
This squares with the above su -c not working either for those users.
Thus, I decided to run an getent passwd with strace as user 'krafft'
(see attachment). To make a long story short, the command hangs on
[...]
geteuid32() = 30000
open("/etc/passwd", O_RDONLY) = 4
fcntl64(4, F_GETFD) = 0
fcntl64(4, F_SETFD, FD_CLOEXEC) = 0
_llseek(4, 0, [0], SEEK_CUR) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=1094, ...}) = 0
mmap2(NULL, 1094, PROT_READ, MAP_SHARED, 4, 0) = 0xb7f23000
_llseek(4, 1094, [1094], SEEK_SET) = 0
fstat64(4, {st_mode=S_IFREG|0644, st_size=1094, ...}) = 0
munmap(0xb7f23000, 1094) = 0
close(4) = 0
futex(0xb7c57904, FUTEX_WAIT, 2, NULL
Does anyone have any clue as to what's going on? And please don't
tell me this is some sort of chicken-egg problem where user 'krafft'
cannot use the postgres database until the account is known to the
system because then I'll scream and file a grave bug against
libnss-pgsql for being utterly useless.
Here are the configuration details, only showing the relevant and
changed lines:
==> /etc/nsswitch.conf <==
# /etc/nsswitch.conf
passwd: compat pgsql
group: compat pgsql
shadow: compat
[...]
==> /etc/nss-pgsql.conf <==
host = 127.0.0.1
port = 5432
database = users
login = nss
passwd = foobar
passwdtable = accounts
grouptable = groups
groupmembertable = accounts join usergroups on accounts.uid=usergroups.uid join groups on usergroups.gid=groups.gid
passwd_name = login
passwd_passwd = passwd
passwd_uid = uid
passwd_dir = homedir
passwd_shell = shell
passwd_gecos = gecos
passwd_gid = gid
group_name = name
group_passwd = passwd
group_gid = gid
group_member = login
==> /etc/pam.d/common-account <==
account sufficient pam_unix.so
account required pam_pgsql.so
==> /etc/pam.d/common-auth <==
auth sufficient pam_unix.so
auth required pam_pgsql.so use_authtok
==> /etc/pam.d/common-password <==
password sufficient pam_unix.so
password required pam_pgsql.so use_authtok
==> /etc/pam.d/common-session <==
session required pam_unix.so
==> /etc/pam_pgsql.conf <==
host = 127.0.0.1
port = 5432
user = pam
password = foobar
database = users
table = passwords
user_column = login
pwd_column = passwd
expired_column = expired
newtok_column = newtok
pw_type = crypt_md5
--
Please do not send copies of list mail to me; I read the list!
.''`. martin f. krafft <madduck@debian.org>
: :' : proud Debian developer, author, administrator, and user
`. `'` http://people.debian.org/~madduck - http://debiansystem.info
`- Debian - when you have better things to do than fixing systems
"wenn elephanten tanzen leidet das gras."
-- die vogelpredigt
Attachment:
strace.getent.bz2
Description: Binary data
Attachment:
signature.asc
Description: Digital signature (GPG/PGP)