--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: libpam-unix2: Authentication always fail if uidNumber=0 and the user is in LDAP
- From: Helge Hafting <helgehaf@aitel.hist.no>
- Date: Wed, 29 Mar 2006 14:23:50 +0200
- Message-id: <20060329122350.30091.81600.reportbug@hh.aitel.hist.no>
Package: libpam-unix2
Version: 1.25-1
Severity: important
I have strange problem with pam_unix2. I have looked at documentation
and searched google, but I can't figure out what's wrong.
I am setting up a server where I use ldap for authentication.
The root account is not in ldap, so it will be possible to log in
even if I get trouble with the ldap server.
I also need a uid=0 account available in ldap though,
samba need this.
And this is the problem. I can log in as any
ldap user - except the one with uidNumber=0. That user is named
Administrator.
I believe there is nothing wrong with the Administrator account,
if I change its uidNumber to soemthing else - such as 1, then
logging in (using "login" or "su") works. Change the
uidNumber back to 0 - and suddenly the password is invalid. Very
strange.
Also, this cannot be a case of /etc/securetty or other protection against
privileged users, for I can log in as "root" with no problems
at all. But "root" exists in /etc/passwd, so "root" doesn't have
the extra sambaAccount fields that samba needs. That is only available
in ldap, but logging in with uidNumber=0 using ldap is impossible.
I tried removing the normal root account, to see if the problem
had something to do with duplicate users. This did not help at all.
Am I missing something, is there a trivial config option that makes
this work? Or have I found a bug?
Some auth.log traces:
"su root" from a user account succeeds:
Mar 26 12:53:44 buanserver su[11663]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:53:44 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_authenticate: PAM_SUCCESS
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_acct_mgmt() called
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: expire() returned with 0
Mar 26 12:53:46 buanserver su[11663]: Successful su for root by helge
Mar 26 12:53:46 buanserver su[11663]: + pts/2 helge:root
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred() called
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: username=[root]
Mar 26 12:53:46 buanserver su[11663]: pam_unix2: pam_sm_setcred: PAM_SUCCESS
"su Administrator" from a user account rejected (I used the correct passwd)
Mar 26 12:54:26 buanserver su[11672]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:54:26 buanserver su[11672]: pam_unix2: username=[Administrator]
Mar 26 12:54:30 buanserver su[11672]: pam_unix2: wrong password, return PAM_AUTH_ERR
Mar 26 12:54:30 buanserver su[11672]: pam_authenticate: Authentication failure
Mar 26 12:54:30 buanserver su[11672]: FAILED su for Administrator by helge
Mar 26 12:54:30 buanserver su[11672]: - pts/2 helge:Administrator
"su Administrator" from a user account works when Administrator is
modified to use a uidNumber other than 0:
Mar 26 12:30:49 buanserver su[11603]: pam_unix2: pam_sm_authenticate() called
Mar 26 12:30:49 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:55 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_authenticate() returned 0
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_acct_mgmt() called
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_acct_mgmt() returned 0
Mar 26 12:30:56 buanserver su[11603]: Successful su for Administrator by joe
Mar 26 12:30:56 buanserver su[11603]: + pts/0 joe:Administrator
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred() called
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: username=[Administrator]
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_ldap/pam_sm_setcred() returned 0
Mar 26 12:30:56 buanserver su[11603]: pam_unix2: pam_sm_setcred: PAM_SUCCESS
Deliberately using a wrong password for "Administrator" when the uid is not 0:
Mar 26 13:27:09 buanserver su[11780]: pam_unix2: pam_sm_authenticate() called
Mar 26 13:27:09 buanserver su[11780]: pam_unix2: username=[Administrator]
Mar 26 13:27:13 buanserver su[11780]: pam_ldap: error trying to bind as user "uid=Administrator,ou=People,dc=buan" (Invalid credentials)
Mar 26 13:27:13 buanserver su[11780]: pam_unix2: pam_ldap/pam_sm_authenticate() returned 7
Mar 26 13:27:13 buanserver su[11780]: pam_unix2: wrong password, return PAM_AUTH_ERR
Mar 26 13:27:13 buanserver su[11780]: pam_authenticate: Authentication failure
Mar 26 13:27:13 buanserver su[11780]: FAILED su for Administrator by helge
Mar 26 13:27:13 buanserver su[11780]: - pts/5 helge:Administrator
Here we see that the wrong password was rejected by ldap
Now, lets change the administrator uid back to 0 and try a wrong
password:
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: pam_sm_authenticate() called
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: username=[Administrator]
Mar 26 13:31:28 buanserver su[11792]: pam_unix2: wrong password, return PAM_AUTH_ERR
Mar 26 13:31:28 buanserver su[11792]: pam_authenticate: Authentication failure
Mar 26 13:31:28 buanserver su[11792]: FAILED su for Administrator by helge
Mar 26 13:31:29 buanserver su[11792]: - pts/5 helge:Administrator
Hmm - ldap was not consulted at all. This is exactly the same kind
of log I get with a wrong password for "root".
Let me guess:
pam_unix2 looks up the uid for Administrator, and see that it is 0.
And then pam_unix2.so decides that there is no need to consult ldap
when the uid=0 ???
A wrong assumption that uid=0 can only exist in /etc/passwd ???
This is a regression, this used to work a couple of years ago.
Helge Hafting
-- System Information:
Debian Release: testing/unstable
APT prefers testing
APT policy: (900, 'testing'), (800, 'unstable'), (800, 'stable'), (700, 'experimental')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.16-mm2
Locale: LANG=nb_NO.UTF-8, LC_CTYPE=nb_NO.UTF-8 (charmap=UTF-8)
Versions of packages libpam-unix2 depends on:
ii libc6 2.3.6-3 GNU C Library: Shared libraries an
ii libpam0g 0.79-3.1 Pluggable Authentication Modules l
ii libxcrypt1 2.3-1 Crypt library for DES, MD5, and bl
libpam-unix2 recommends no packages.
-- no debconf information
--- End Message ---