From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <4734B008.2080401@altlinux.org> Date: Fri, 09 Nov 2007 22:07:52 +0300 From: Alexander Bokovoy User-Agent: Thunderbird 2.0.0.6 (X11/20070804) MIME-Version: 1.0 To: "ALT Linux users (in English only)" References: <200711091456.03162.daniel.rocher@adella.org> <20071109172301.GA31932@basalt.office.altlinux.org> In-Reply-To: <20071109172301.GA31932@basalt.office.altlinux.org> Content-Type: text/plain; charset=windows-1251; format=flowed Content-Transfer-Encoding: quoted-printable X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - glaucus.site5.com X-AntiAbuse: Original Domain - lists.altlinux.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - altlinux.org X-Source: X-Source-Args: X-Source-Dir: Subject: Re: [Comm-en] PAM with ALT Linux X-BeenThere: community-en@lists.altlinux.org X-Mailman-Version: 2.1.9 Precedence: list Reply-To: "ALT Linux users \(in English only\)" List-Id: "ALT Linux users \(in English only\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2007 19:08:04 -0000 Archived-At: List-Archive: Dmitry V. Levin =EF=E8=F8=E5=F2: > Hi, >=20 > On Fri, Nov 09, 2007 at 02:56:02PM +0100, Daniel Rocher wrote: >> I'm a developer and I have a problem with ALT Linux and PAM=20 >> (authentification). >> >> My program use PAM. this is PAM configuration file: >> >> auth required pam_unix.so nullok >> auth required pam_listfile.so=20 >> file=3D/etc/qtsmbstatusd/qtsmbstatusd.users onerr=3Dfail sense=3Dallow= item=3Duser >> account required pam_unix.so >> session required pam_unix.so >> password required pam_unix.so >> >> It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.= 2 ... >> >> And I don't understand why not with Alt Linux (installed with=20 >> lite-cd-20071106.iso) ? >> >> Have you an idee ? >=20 > Could you provide more details how it doesn't work, please? > Where it fails, how it fails, credentials of process which fails, > log message (in /var/log/auth/all) if any, etc. Shouldn't it be related to TCB? This PAM config completely ignores the fact that auth info in default ALT Linux installation is done through TCB, therefore pam_tcb should be used instead of pam_unix. Below is our system-auth-local which is included by default by other services: #%PAM-1.0 auth required pam_tcb.so shadow fork prefix=3D$2a$ count=3D8 nu= llok account required pam_tcb.so shadow fork password required pam_passwdqc.so min=3Ddisabled,24,12,8,7 max=3D40= =20 passphrase=3D3 match=3D4 similar=3Ddeny random=3D42 enforce=3Dusers retry= =3D3 password required pam_tcb.so use_authtok shadow fork prefix=3D$2a$ = count=3D8 nullok write_to=3Dtcb session required pam_tcb.so session required pam_mktemp.so session required pam_limits.so Daniel, you'd probably need to supply an ALTLinux-customized PAM config=20 for your application made along these lines. Better, use the following=20 (not tested): #%PAM-1.0 auth include system-auth auth required pam_listfile.so=20 file=3D/etc/qtsmbstatusd/qtsmbstatusd.users onerr=3Dfail sense=3Dallow it= em=3Duser account include system-auth password include system-auth session include system-auth It relies on the fact that we have system-wide 'system-auth' PAM config=20 which does common magic (like system-auth-local above). --=20 / Alexander Bokovoy Samba Team http://www.samba.org/ ALT Linux Team http://www.altlinux.org/ Midgard Project Ry http://www.midgard-project.org/