From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Date: Mon, 22 Jun 2009 20:48:24 +0400 From: "Dmitry V. Levin" To: ALT Linux Community general discussions Message-ID: <20090622164824.GA7698@wo.int.altlinux.org> References: <20090619233836.GA15680@wo.int.altlinux.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="AhhlLboLdkugWU4S" Content-Disposition: inline In-Reply-To: X-fingerprint: FE4C 93AB E19A 2E4C CB5D 3E4E 7CAB E6AC 9E35 361E Subject: Re: [Comm] =?koi8-r?b?InBhbV9tb3VudCBwYXNzd29yZDoiIC0gzsXBy8vV0sHU?= =?koi8-r?b?zsXO2MvPIMvByy3Uzw==?= X-BeenThere: community@lists.altlinux.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: ALT Linux Community general discussions List-Id: ALT Linux Community general discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Jun 2009 16:48:25 -0000 Archived-At: List-Archive: List-Post: --AhhlLboLdkugWU4S Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 22, 2009 at 11:41:36AM +0500, =D0=94=D0=B5=D0=BD=D0=B8=D1=81 = =D0=A7=D0=B5=D1=80=D0=BD=D0=BE=D1=81=D0=BE=D0=B2 wrote: > 20 =D0=B8=D1=8E=D0=BD=D1=8F 2009 =D0=B3. 4:38 =D0=BF=D0=BE=D0=BB=D1=8C=D0= =B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D1=8C Dmitry V. Levin (ldv@altlinux= .org) =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BB: > > On Fri, Jun 19, 2009 at 11:46:36AM +0500, =D0=94=D0=B5=D0=BD=D0=B8=D1= =81 =D0=A7=D0=B5=D1=80=D0=BD=D0=BE=D1=81=D0=BE=D0=B2 wrote: > >> =D0=94=D0=B5=D0=BD=D1=8C =D0=B4=D0=BE=D0=B1=D1=80=D1=8B=D0=B9 =D0=B2= =D1=81=D0=B5=D0=BC! > >> > >> auth optional pam_mount.so > >> auth sufficient pam_tcb.so shadow fork prefix=3D$2a$ count= =3D8 > >> nullok use_first_pass > >> auth requisite pam_succeed_if.so uid >=3D 500 quiet > >> auth required pam_ldap.so use_first_pass > >> > >> =D0=92 =D0=BF=D1=8F=D1=82=D0=BE=D0=BC =D0=B1=D1=80=D0=B0=D0=BD=D1=87= =D0=B5 pam_mount, =D0=B1=D1=83=D0=B4=D1=83=D1=87=D0=B8 =D0=BF=D0=BE=D1=81= =D1=82=D0=B0=D0=B2=D0=BB=D0=B5=D0=BD=D0=BD=D1=8B=D0=B9 =D0=BF=D0=B5=D1=80= =D0=B2=D1=8B=D0=BC =D0=B2 auth (=D0=B0 > >> =D0=BF=D0=BE-=D0=B4=D1=80=D1=83=D0=B3=D0=BE=D0=BC=D1=83 =D0=B5=D0=B3= =D0=BE =D0=B7=D0=B0=D1=81=D1=82=D0=B0=D0=B2=D0=B8=D1=82=D1=8C =D1=80=D0=B0= =D0=B1=D0=BE=D1=82=D0=B0=D1=82=D1=8C =D1=83 =D0=BC=D0=B5=D0=BD=D1=8F =D0=BD= =D0=B5 =D0=BF=D0=BE=D0=BB=D1=83=D1=87=D0=B8=D0=BB=D0=BE=D1=81=D1=8C), =D0= =BC=D0=B5=D0=BD=D1=8F=D0=B5=D1=82 =D1=81=D1=82=D1=80=D0=BE=D0=BA=D1=83 > >> =D0=B7=D0=B0=D0=BF=D1=80=D0=BE=D1=81=D0=B0 =D0=BF=D0=B0=D1=80=D0=BE=D0= =BB=D1=8F =D0=B8 =D0=B2=D0=BC=D0=B5=D1=81=D1=82=D0=BE =D0=BF=D1=80=D0=BE=D1= =81=D1=82=D0=BE "password:" =D0=BF=D0=B8=D1=88=D0=B5=D1=82 "pam_mount > >> password:". > > > > =D0=9D=D0=B5 =D0=BD=D0=B0=D0=B4=D0=BE =D0=BF=D0=BE=D0=BC=D0=B5=D1=89=D0= =B0=D1=82=D1=8C pam_mount.so =D0=B2 =D1=81=D1=82=D0=B5=D0=BA=D0=B5 =D0=B0= =D1=83=D1=82=D0=B5=D0=BD=D1=82=D0=B8=D1=84=D0=B8=D0=BA=D0=B0=D1=86=D0=B8=D0= =B8 =D0=B4=D0=BE pam_tcb.so, > > =D1=8D=D1=82=D0=BE =D0=BD=D0=B5 =D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D1= =8C=D0=BD=D0=BE =D0=BF=D0=BE =D1=81=D1=83=D1=82=D0=B8. >=20 > =D0=A1=D0=BE=D0=B3=D0=BB=D0=B0=D1=81=D0=B5=D0=BD, =D0=BC=D0=BD=D0=B5 =D1= =8D=D1=82=D0=BE =D1=82=D0=BE=D0=B6=D0=B5 =D0=BA=D0=B0=D0=B6=D0=B5=D1=82=D1= =81=D1=8F "=D0=BD=D0=B5=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D1=8C=D0=BD=D1= =8B=D0=BC =D0=BF=D0=BE =D1=81=D1=83=D1=82=D0=B8". =D0=9D=D0=BE =D0=B2 =D0= =BF=D1=80=D0=B8=D0=BC=D0=B5=D1=80=D0=B5 > =D1=8F=D0=B2=D0=BD=D0=BE =D1=83=D0=BA=D0=B0=D0=B7=D0=B0=D0=BD=D0=BE, =D1= =87=D1=82=D0=BE =D0=BF=D1=80=D0=B8 =D0=B0=D1=83=D1=82=D0=B5=D0=BD=D1=82=D0= =B8=D1=84=D0=B8=D0=BA=D0=B0=D1=86=D0=B8=D0=B8 =D1=87=D0=B5=D1=80=D0=B5=D0= =B7 ldap =D0=B8=D0=BB=D0=B8 winbind =D0=BD=D1=83=D0=B6=D0=BD=D0=BE > =D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D1=8C pam_mount =D1=81=D1=82=D0=B0=D0=B2= =D0=B8=D1=82=D1=8C =D0=B2=D0=BF=D0=B5=D1=80=D0=B5=D0=B4=D0=B8... > ---------------------- > #man pam_mount > .... > When "sufficient" is used in the second column, you must make > sure that pam_mount is added > before this entry. Otherwise pam_mount will not get executed > should a previous PAM module suc=E2=80=90 > ceed. Also be aware of the "include" statements. These make PAM > look into the specified file. > If there is a "sufficient" statement, then the pam_mount > entry must either be in the included > file before the "sufficient" statement or before the "include" sta= tement. >=20 > If you use pam_ldap, pam_winbind, or any other authentication > services that make use of PAM's > sufficient keyword, model your configuration on the following orde= r: >=20 > =E3=83=BB=E3=83=BB=E3=83=BB > account sufficient pam_ldap.so > auth required pam_mount.so > auth sufficient pam_ldap.so use_first_pass > auth required pam_unix.so use_first_pass > session optional pam_mount.so > =E3=83=BB=E3=83=BB=E3=83=BB >=20 > This allows for: >=20 > 1. pam_mount, as the first "auth" module, will prompt for a > password and export it to the PAM > system. >=20 > 2. pam_ldap will use the password from the PAM system to try > and authenticate the user. If > this succedes, the user will be authenticated. If it > fails, pam_unix will try to authenti=E2=80=90 > cate. > .... > ------------------------------ =D0=A2=D1=83=D1=82 =D0=BD=D0=B0=D0=BF=D0=B8=D1=81=D0=B0=D0=BD=D0=BE, =D1=87= =D1=82=D0=BE =D0=B5=D1=81=D0=BB=D0=B8 =D0=B2=D1=8B =D0=B4=D0=BE=D0=B1=D0=B0= =D0=B2=D0=BB=D1=8F=D0=B5=D1=82=D0=B5 =D1=87=D1=82=D0=BE-=D1=82=D0=BE =D0=B2= =D1=81=D1=82=D0=B5=D0=BA =D0=BF=D0=BE=D1=81=D0=BB=D0=B5 sufficient, =D1=82= =D0=BE =D0=B5=D1=81=D1=82=D1=8C =D0=BD=D0=B5=D0=BD=D1=83=D0=BB=D0=B5=D0=B2=D0=B0= =D1=8F =D0=B2=D0=B5=D1=80=D0=BE=D1=8F=D1=82=D0=BD=D0=BE=D1=81=D1=82=D1=8C = =D1=82=D0=BE=D0=B3=D0=BE, =D1=87=D1=82=D0=BE =D1=8D=D1=82=D0=BE =D1=87=D1= =82=D0=BE-=D1=82=D0=BE =D0=BD=D0=B5 =D0=B1=D1=83=D0=B4=D0=B5=D1=82 =D0=B2= =D1=8B=D0=BF=D0=BE=D0=BB=D0=BD=D0=B5=D0=BD=D0=BE. =D0=AD=D1=82=D0=BE =D1=83=D1=82=D0=B5=D1=80=D0=B6=D0=B4=D0=B5=D0=BD=D0=B8=D0=B5 =D0=B2=D0=B5= =D1=80=D0=BD=D0=BE, =D0=BE=D0=B4=D0=BD=D0=B0=D0=BA=D0=BE =D0=B8=D0=B7 =D0= =BD=D0=B5=D0=B3=D0=BE =D0=BD=D0=B5 =D1=81=D0=BB=D0=B5=D0=B4=D1=83=D0=B5=D1= =82, =D1=87=D1=82=D0=BE =D0=BD=D0=B5=D0=BE=D0=B1=D1=85=D0=BE=D0=B4=D0=B8=D0= =BC=D0=BE =D1=87=D1=82=D0=BE-=D1=82=D0=BE =D0=B4=D0=BE=D0=B1=D0=B0=D0=B2=D0=BB=D1=8F=D1=82=D1=8C =D0=BF=D0=B5=D1=80= =D0=B5=D0=B4 sufficient. > =D0=90 =D0=B2=D1=82=D0=BE=D1=80=D0=BE=D0=B9 =D0=B2=D0=B0=D1=80=D0=B8=D0= =B0=D0=BD=D1=82 (=D1=81=D0=BC. =D0=BD=D0=B8=D0=B6=D0=B5) =D1=83=D0=BA=D0=B0= =D0=B7=D1=8B=D0=B2=D0=B0=D0=B5=D1=82=D1=81=D1=8F =D0=B8=D0=BC=D0=B5=D0=BD= =D0=BD=D0=BE =D0=B4=D0=BB=D1=8F =D1=82=D0=B0=D0=BA=D0=B8=D1=85 =D0=BA=D0=B0= =D0=BA =D0=BC=D1=8B =D1=81 =D0=B2=D0=B0=D0=BC=D0=B8 :) > ----------------------------- > ... > Alternatively, the following is possible (thanks to Andrew > Morgan for the hint!): >=20 > auth [success=3D2 default=3Dignore] pam_unix2.so > auth [success=3D1 default=3Dignore] pam_ldap.so use_first_p= ass > auth requisite pam_deny.so > auth optional pam_mount.so >=20 > It may seem odd, but the first three lines will make it so > that at least one of pam_unix2 or > pam_ldap has to succeed. As you can see, pam_mount will be run > after successful authentifica=E2=80=90 > tion with these subsystems. > ... > ----------------------------- >=20 > =D0=9F=D1=80=D0=B8=D1=87=D0=B5=D0=BC, =D0=BE=D0=B1=D0=B0 =D1=8D=D1=82=D0= =B8=D1=85 =D0=B2=D0=B0=D1=80=D0=B8=D0=B0=D0=BD=D1=82=D0=B0 - =D1=80=D0=B0= =D0=B1=D0=BE=D1=87=D0=B8=D0=B5. =D0=94=D0=B0, =D0=BA=D0=BE=D0=BD=D0=B5=D1=87=D0=BD=D0=BE. > =D0=90 =D0=B2=D0=BE=D1=82 =D0=B5=D1=81=D0=BB=D0=B8 =D0=BF=D0=BE=D0=BF=D1= =8B=D1=82=D0=B0=D1=82=D1=8C=D1=81=D1=8F =D0=B1=D0=B5=D0=B7 =D0=B7=D0=B0=D1= =82=D0=B5=D0=B9 > =D0=BF=D0=BE=D1=81=D1=82=D0=B0=D0=B2=D0=B8=D1=82=D1=8C pam_mount =D0=BF= =D0=BE=D1=81=D0=BB=D0=B5 =D0=BE=D1=81=D1=82=D0=B0=D0=BB=D1=8C=D0=BD=D1=8B= =D1=85 =D0=BC=D0=BE=D0=B4=D1=83=D0=BB=D0=B5=D0=B9, =D1=82=D0=BE =D0=BF=D0= =B0=D1=80=D0=BE=D0=BB=D1=8C =D0=B7=D0=B0=D0=BF=D1=80=D0=B0=D1=88=D0=B8=D0= =B2=D0=B0=D0=B5=D1=82=D1=81=D1=8F > =D0=B4=D0=B2=D0=B0 =D1=80=D0=B0=D0=B7=D0=B0. =D0=9F=D1=80=D0=B8=D1=87=D0= =B5=D0=BC =D0=B4=D0=B0=D0=B6=D0=B5 =D0=BF=D1=80=D0=B8 =D0=BF=D0=B5=D1=80=D0= =B5=D0=B7=D0=B0=D0=BF=D1=83=D1=81=D0=BA=D0=B5 =D0=B4=D0=B5=D0=BC=D0=BE=D0= =BD=D0=BE=D0=B2 (=D0=B2=D0=B5=D1=81=D0=B5=D0=BB=D1=83=D1=85=D0=B0 service > network restart - =D0=B2=D0=B2=D0=B5=D0=B4=D0=B8 =D0=BF=D0=B0=D1=80=D0=BE= =D0=BB=D1=8C...). =D0=98 =D1=8D=D1=82=D0=BE =D0=BD=D0=B5 =D1=80=D0=B5=D1=88= =D0=B0=D0=B5=D1=82=D1=81=D1=8F =D0=B8=D1=81=D0=BF=D0=BE=D0=BB=D1=8C=D0=B7= =D0=BE=D0=B2=D0=B0=D0=BD=D0=B8=D0=B5=D0=BC > =D0=BE=D0=BF=D1=86=D0=B8=D0=B8 use_first_pass. =D0=92=D1=8B =D1=85=D0=BE=D1=82=D0=B8=D1=82=D0=B5 =D1=81=D0=BA=D0=B0=D0=B7= =D0=B0=D1=82=D1=8C, =D1=87=D1=82=D0=BE pam_mount =D0=BD=D0=B5 =D0=BF=D0=BE= =D0=B4=D0=B4=D0=B5=D1=80=D0=B6=D0=B8=D0=B2=D0=B0=D0=B5=D1=82 use_first_pass? > =D0=95=D0=B4=D0=B8=D0=BD=D1=81=D1=82=D0=B2=D0=B5=D0=BD=D0=BD=D0=BE=D0=B5,= =D1=87=D1=82=D0=BE =D1=8F =D0=BD=D0=B5 =D0=BF=D1=80=D0=BE=D0=B1=D0=BE=D0= =B2=D0=B0=D0=BB - =D1=8D=D1=82=D0=BE =D1=81=D1=82=D0=B0=D0=B2=D0=B8=D1=82= =D1=8C =D1=81=D1=82=D1=80=D0=BE=D1=87=D0=BA=D1=83 =D1=81 account > =D0=B2=D0=BF=D0=B5=D1=80=D0=B5=D0=B4=D0=B8 =D1=81=D1=82=D1=80=D0=BE=D1=87= =D0=B5=D0=BA =D1=81 auth. =D0=9F=D0=BE=D1=82=D0=BE=D0=BC=D1=83 =D1=87=D1=82= =D0=BE, =D0=BD=D0=B0=D1=81=D0=BA=D0=BE=D0=BB=D1=8C=D0=BA=D0=BE =D1=8F =D0= =BF=D0=BE=D0=BD=D0=B8=D0=BC=D0=B0=D1=8E, =D0=BE=D1=82 =D1=8D=D1=82=D0=BE=D0= =B3=D0=BE > =D0=BD=D0=B8=D1=87=D0=B5=D0=B3=D0=BE =D0=BD=D0=B5 =D0=B8=D0=B7=D0=BC=D0= =B5=D0=BD=D0=B8=D1=82=D1=81=D1=8F... =D0=9A=D0=BE=D0=BD=D0=B5=D1=87=D0=BD=D0=BE. > >> auth [success=3D2 default=3Dignore] pam_tcb.so shadow fork p= refix=3D$2a$ count=3D8 nullok > >> auth requisite pam_succeed_if.so uid >=3D 500 quiet > >> auth [success=3D1 default=3Dignore] pam_ldap.so use_first_pa= ss > >> auth optional pam_mount.so > > > > =D0=92=D1=8B =D0=BD=D0=B5=D0=BF=D1=80=D0=B0=D0=B2=D0=B8=D0=BB=D1=8C=D0= =BD=D0=BE =D1=81=D0=BF=D0=B8=D1=81=D0=B0=D0=BB=D0=B8 =D1=81 pam_mount(8). = =D0=A7=D1=82=D0=BE=D0=B1=D1=8B =D0=BF=D0=BE=D0=BD=D1=8F=D1=82=D1=8C, =D0=B2= =D1=87=D1=91=D0=BC =D0=BE=D1=88=D0=B8=D0=B1=D0=BA=D0=B0, > > =D0=BF=D1=80=D0=B8=D0=B4=D1=91=D1=82=D1=81=D1=8F =D0=BF=D1=80=D0=BE=D1= =87=D0=B8=D1=82=D0=B0=D1=82=D1=8C =D0=B8 =D0=BF=D0=BE=D0=BD=D1=8F=D1=82=D1= =8C pam.conf(5). >=20 > =D0=9E=D1=88=D0=B8=D0=B1=D0=BA=D0=B8 =D0=BD=D0=B5=D1=82. =D0=AD=D1=82=D0= =BE=D1=82 =D0=B2=D0=B0=D1=80=D0=B8=D0=B0=D0=BD=D1=82 =D1=80=D0=B0=D0=B1=D0= =BE=D1=82=D0=B0=D0=B5=D1=82. =D0=9C=D0=BE=D0=B9 =D0=B2=D0=BE=D0=BF=D1=80=D0= =BE=D1=81 =D0=BA=D0=B0=D1=81=D0=B0=D0=B5=D1=82=D1=81=D1=8F =D1=81=D0=BA=D0= =BE=D1=80=D0=B5=D0=B5 > =D1=8D=D1=81=D1=82=D0=B5=D1=82=D0=B8=D0=BA=D0=B8, =D1=87=D0=B5=D0=BC =D1= =84=D1=83=D0=BD=D0=BA=D1=86=D0=B8=D0=BE=D0=BD=D0=B0=D0=BB=D1=8C=D0=BD=D0=BE= =D1=81=D1=82=D0=B8... =D0=92 =D1=8D=D1=82=D0=BE=D0=BC =D0=B2=D0=B0=D1=80=D0=B8=D0=B0=D0=BD=D1=82= =D0=B5 =D0=B5=D1=81=D1=82=D1=8C =D1=81=D0=B5=D0=BC=D0=B0=D0=BD=D1=82=D0=B8= =D1=87=D0=B5=D1=81=D0=BA=D0=B0=D1=8F =D0=BE=D1=88=D0=B8=D0=B1=D0=BA=D0=B0. = =D0=9F=D0=BE=D0=BF=D1=80=D0=BE=D0=B1=D1=83=D0=B9=D1=82=D0=B5 - =D0=B7=D0=B0=D0=BB=D0=BE=D0=B3=D0=B8=D0=BD=D0=B8=D1=82=D1=8C=D1=81=D1=8F = ldap-=D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0=BB=D0= =B5=D0=BC; - =D0=B7=D0=B0=D0=BB=D0=BE=D0=B3=D0=B8=D0=BD=D0=B8=D1=82=D1=8C=D1=81=D1=8F = =D0=BD=D0=B5=D1=81=D1=83=D1=89=D0=B5=D1=81=D1=82=D0=B2=D1=83=D1=8E=D1=89=D0= =B8=D0=BC =D0=BF=D0=BE=D0=BB=D1=8C=D0=B7=D0=BE=D0=B2=D0=B0=D1=82=D0=B5=D0= =BB=D0=B5=D0=BC. =D0=94=D0=B5=D0=BB=D0=BE =D0=B2 =D1=82=D0=BE=D0=BC, =D1=87=D1=82=D0=BE =D1= =84=D0=BE=D1=80=D0=BC=D0=B0=D1=82 pam.conf(5) =D0=B6=D0=B5=D0=BB=D0=B0=D1= =82=D0=B5=D0=BB=D1=8C=D0=BD=D0=BE =D0=B8=D0=B7=D1=83=D1=87=D0=B8=D1=82=D1= =8C =D0=B4=D0=BB=D1=8F =D1=82=D0=BE=D0=B3=D0=BE, =D1=87=D1=82=D0=BE=D0=B1= =D1=8B =D0=BF=D0=BE=D0=BD=D0=B8=D0=BC=D0=B0=D1=82=D1=8C, =D0=BA=D0=B0=D0=BA =D1=80= =D0=B0=D0=B1=D0=BE=D1=82=D0=B0=D0=B5=D1=82 =D1=82=D0=B0 =D0=B8=D0=BB=D0=B8 = =D0=B8=D0=BD=D0=B0=D1=8F =D0=BA=D0=BE=D0=BD=D1=81=D1=82=D1=80=D1=83=D0=BA= =D1=86=D0=B8=D1=8F. --=20 ldv --AhhlLboLdkugWU4S Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAko/tdgACgkQfKvmrJ41Nh6UBACgii4Q0mJNym+VHdCPTPl8cUL5 ZMEAniJxMpCD8UmLwDGt3bbbO3Ek5qtr =k+OC -----END PGP SIGNATURE----- --AhhlLboLdkugWU4S--