Re: [Comm-en] PAM with ALT Linux

ALT Linux users (in English only)
 help / color / mirror / Atom feed

From: Alexander Bokovoy <ab@altlinux.org>
To: "ALT Linux users (in English only)" <community-en@lists.altlinux.org>
Subject: Re: [Comm-en] PAM with ALT Linux
Date: Fri, 09 Nov 2007 22:07:52 +0300
Message-ID: <4734B008.2080401@altlinux.org> (raw)
In-Reply-To: <20071109172301.GA31932@basalt.office.altlinux.org>

Dmitry V. Levin пишет:
> Hi,
> 
> On Fri, Nov 09, 2007 at 02:56:02PM +0100, Daniel Rocher wrote:
>> I'm a developer and I have a problem with ALT Linux and PAM 
>> (authentification).
>>
>> My program use PAM. this is PAM configuration file:
>>
>> auth            required        pam_unix.so nullok
>> auth            required        pam_listfile.so 
>> file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
>> account         required        pam_unix.so
>> session         required        pam_unix.so
>> password        required        pam_unix.so
>>
>> It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.2 ...
>>
>> And I don't understand why not with Alt Linux (installed with 
>> lite-cd-20071106.iso) ?
>>
>> Have you an idee ?
> 
> Could you provide more details how it doesn't work, please?
> Where it fails, how it fails, credentials of process which fails,
> log message (in /var/log/auth/all) if any, etc.
Shouldn't it be related to TCB? This PAM config completely ignores the
fact that auth info in default ALT Linux installation is done through
TCB, therefore pam_tcb should be used instead of pam_unix. Below is our
system-auth-local which is included by default by other services:

#%PAM-1.0
auth     required       pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
account  required       pam_tcb.so shadow fork
password required       pam_passwdqc.so min=disabled,24,12,8,7 max=40 
passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required       pam_tcb.so use_authtok shadow fork prefix=$2a$ 
count=8 nullok write_to=tcb
session  required       pam_tcb.so
session  required       pam_mktemp.so
session  required       pam_limits.so

Daniel, you'd probably need to supply an ALTLinux-customized PAM config 
for your application made along these lines. Better, use the following 
(not tested):

#%PAM-1.0
auth     include        system-auth
auth     required       pam_listfile.so 
file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account  include        system-auth
password include        system-auth
session  include        system-auth

It relies on the fact that we have system-wide 'system-auth' PAM config 
which does common magic (like system-auth-local above).
-- 
/ Alexander Bokovoy
Samba Team                      http://www.samba.org/
ALT Linux Team                  http://www.altlinux.org/
Midgard Project Ry              http://www.midgard-project.org/

next prev parent reply	other threads:[~2007-11-09 19:07 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-11-09 13:56 Daniel Rocher
2007-11-09 17:23 ` Dmitry V. Levin
2007-11-09 19:07   ` Alexander Bokovoy [this message]
2007-11-09 20:21     ` Daniel Rocher
2007-11-09 21:04       ` Michael Shigorin
2007-11-09 21:30         ` [Comm-en] Help Unsubbing Rachel Ramey
2007-11-09 22:01         ` [Comm-en] PAM with ALT Linux Daniel Rocher
2007-11-09 19:58   ` Daniel Rocher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4734B008.2080401@altlinux.org \
    --to=ab@altlinux.org \
    --cc=community-en@lists.altlinux.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

ALT Linux users (in English only)

This inbox may be cloned and mirrored by anyone:

	git clone --mirror http://lore.altlinux.org/community-en/0 community-en/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 community-en community-en/ http://lore.altlinux.org/community-en \
		community-en@lists.altlinux.org community-en@lists.altlinux.ru community-en@lists.altlinux.com
	public-inbox-index community-en

Example config snippet for mirrors.
Newsgroup available over NNTP:
	nntp://lore.altlinux.org/org.altlinux.lists.community-en


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git