From: Alexander Bokovoy <ab@altlinux.org>
To: "ALT Linux users (in English only)" <community-en@lists.altlinux.org>
Subject: Re: [Comm-en] PAM with ALT Linux
Date: Fri, 09 Nov 2007 22:07:52 +0300
Message-ID: <4734B008.2080401@altlinux.org> (raw)
In-Reply-To: <20071109172301.GA31932@basalt.office.altlinux.org>
Dmitry V. Levin пишет:
> Hi,
>
> On Fri, Nov 09, 2007 at 02:56:02PM +0100, Daniel Rocher wrote:
>> I'm a developer and I have a problem with ALT Linux and PAM
>> (authentification).
>>
>> My program use PAM. this is PAM configuration file:
>>
>> auth required pam_unix.so nullok
>> auth required pam_listfile.so
>> file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
>> account required pam_unix.so
>> session required pam_unix.so
>> password required pam_unix.so
>>
>> It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.2 ...
>>
>> And I don't understand why not with Alt Linux (installed with
>> lite-cd-20071106.iso) ?
>>
>> Have you an idee ?
>
> Could you provide more details how it doesn't work, please?
> Where it fails, how it fails, credentials of process which fails,
> log message (in /var/log/auth/all) if any, etc.
Shouldn't it be related to TCB? This PAM config completely ignores the
fact that auth info in default ALT Linux installation is done through
TCB, therefore pam_tcb should be used instead of pam_unix. Below is our
system-auth-local which is included by default by other services:
#%PAM-1.0
auth required pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
account required pam_tcb.so shadow fork
password required pam_passwdqc.so min=disabled,24,12,8,7 max=40
passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required pam_tcb.so use_authtok shadow fork prefix=$2a$
count=8 nullok write_to=tcb
session required pam_tcb.so
session required pam_mktemp.so
session required pam_limits.so
Daniel, you'd probably need to supply an ALTLinux-customized PAM config
for your application made along these lines. Better, use the following
(not tested):
#%PAM-1.0
auth include system-auth
auth required pam_listfile.so
file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account include system-auth
password include system-auth
session include system-auth
It relies on the fact that we have system-wide 'system-auth' PAM config
which does common magic (like system-auth-local above).
--
/ Alexander Bokovoy
Samba Team http://www.samba.org/
ALT Linux Team http://www.altlinux.org/
Midgard Project Ry http://www.midgard-project.org/
next prev parent reply other threads:[~2007-11-09 19:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-09 13:56 Daniel Rocher
2007-11-09 17:23 ` Dmitry V. Levin
2007-11-09 19:07 ` Alexander Bokovoy [this message]
2007-11-09 20:21 ` Daniel Rocher
2007-11-09 21:04 ` Michael Shigorin
2007-11-09 21:30 ` [Comm-en] Help Unsubbing Rachel Ramey
2007-11-09 22:01 ` [Comm-en] PAM with ALT Linux Daniel Rocher
2007-11-09 19:58 ` Daniel Rocher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4734B008.2080401@altlinux.org \
--to=ab@altlinux.org \
--cc=community-en@lists.altlinux.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux users (in English only)
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/community-en/0 community-en/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 community-en community-en/ http://lore.altlinux.org/community-en \
community-en@lists.altlinux.org community-en@lists.altlinux.ru community-en@lists.altlinux.com
public-inbox-index community-en
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.community-en
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git