On Sun, 29 Jul 2007, Heiko Harders wrote:
> Some hours off trial and error later I still don't have it working...
> but I can't understand why. The configurations I tried should (as seen
> from my logic) work, but they don't. A few examples of configurations I
> tried are listed below (by the way, I use Ubuntu 7.04 'Feisty Fawn'
> clients, I didn't mention it before, but I thought it might be important):
>
> ## common-account (I changed this a bit according to an article I found,
> written by Martin Schwenke):
> account requisite pam_unix.so
> account sufficient pam_localuser.so
> account required pam_ldap.so
>
> ## common-auth:
> # first authenticate for pam_mount, this is the only way (as far as I
> know) to
> # prefent multiple password requests (as it seems 'use_first_pass' doesn't
> # work for pam_mount.so)
> auth required pam_mount.so
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_unix.so nulluk_secure use_first_pass
>
>
> Next are the different versions of 'common-session' I tried.
> ## common-session [VERSION 1]:
> session optional pam_foreground.so
> session requisite pam_unix.so
> # the following line jumps over the mounting
> # but off course... it does for all users... (as expected)
> session [default=1] pam_localuser.so
> session required pam_mount.so
> session required pam_ldap.so
>
> ## common-session [VERSION 2]:
> session optional pam_foreground.so
> session requisite pam_unix.so
> # the following line doens't seem to have any effect
> # mounting is executed for local users and users in the ldap server
> # I would have expected pam would terminate after this line
> # when a local user logs on (because of the 'sufficient' control value)
> session sufficient pam_localuser.so
> session required pam_mount.so
> session required pam_ldap.so
>
> ## common-session [VERSION 3]:
> session optional pam_foreground.so
> session requisite pam_unix.so
> # the following line gives 'su: Module is unknown' after
> # the request for the password
> session [user_unknown=ignore default=done] pam_localuser.so
> session required pam_mount.so
> session required pam_ldap.so
>
> ## common-session [VERSION 4]:
> session optional pam_foreground.so
> session requisite pam_unix.so
> # the following line doesn't mount anything, not for
> # local users and not for ldap users
> # (in either case 'ok' or 'ignore')
> session [user_unknown=ok/ignore default=2] pam_localuser.so
> session required pam_mount.so
> session required pam_ldap.so
>
> ## common-session [VERSION 5]:
> session optional pam_foreground.so
> # the following line does also mounting for local users
> # (I also found this in the article by Martin Schwenke and adapted it a bit)
> session [success=ok new_authtok_reqd=ok ignore=2 \
> authinfo_unavail=ignore user_unknown=ignore default=bad]
> pam_ldap.so \
> ignore_unknown_user
> session required pam_mount.so
> session required pam_ldap.so
> session requisite pam_unix.so
>
> So still no success. As I said before, loging on works for local users
> and for users in the LDAP. Mounting also works for the users in the
> LDAP, but I would like to prefent the execution of the
> pam_mount for local users (because these users don't need mounting and
> if there is an user in
> the LDAP with the same username/password combo, his/her homedir is
> mounted on top of the local
> homedir. I would like to make sure local users are more important).
>
> Some other details that might be important: for testing the
> configurations I use 'su' (its the fastest way), but quite a few times I
> also tried login in with gdm (Gnome). There seems to be no difference,
> and in my
> view that seems logical, because I only edit the /etc/pam.d/common-*
> files (I don't edit any of the other files in that directory).
>
> Is there anybody who could explain why the listed examples don't work?
> And what about my approach? Jose Plans already suggested using 'autofs',
> but it seems to me that using pam_mount would be a cleaner approach.
> Anyone any ideas on this? Is my approach perhaps outdated?
>
The matter is that pam_localuser.so operates only in account stack (check
README file in the pam_localuser source directory). That means mounting should
be performed in account stack too. If pam_mount.so cannot operate in account
stack (consult with pam_mount documentation), pam_localuser.so cannot help you.
You could however patch pam_localuser source so that it can operate also in
session stack in order to be helpful for you.
--
Sincerely Your, Dan.
_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
