Am Montag, 30. Juli 2007 15:43 schrieb Heiko Harders: > Wilhelm Meier wrote: > > Am Samstag, 28. Juli 2007 21:30 schrieb Heiko Harders: > >> <snip> > > > > What about uid's. Normally the local user uid's occupy a different range, > > say e.g. 0 - 1000 and the ldap uid's are above that range. I don't no if > > pam_mount can distinguish this, but pam_cifs can do that. > > I tried working with uid's and gid's (but did it a little different then > what you told), this is the configuration I used, my local users have > id's below 2000 and my ldap users have id's above 2000: > > session optional pam_foreground.so > session [default=2 success=ignore] pam_succeed_if.so quiet uid > 2000 > session required pam_mount.so > session sufficient pam_ldap.so > session required pam_unix.so > > But this also doens't work... I got this example literally from the > online documentation > (example on the bottom of this page: > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_succeed_if. >html). But with whatever uid I logon (tried su and tried gdm) it always does > the default thing, so it skips lines 3 and 4. > I checked the user id's of the users after logging on (with command > 'id'). For my ldap user it was 2002, for my local user it was 1000. So > that couldn't be the problem. please show us the logs (add the debug option to every module) > > Dan Yefimov wrote: > > On Sun, 29 Jul 2007, Heiko Harders wrote: > >> <snip> > > > > The matter is that pam_localuser.so operates only in account stack (check > > README file in the pam_localuser source directory). > > I checked this out online to make sure this wasn't the problem. In the > online documentation > (http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_localuser. >html) I found: "All services (account, auth, password and session) are > supported." So I ruled this out and was convinced this wasn't a problem. > But perhaps that online documentation isn't correct. > > > That means mounting should > > be performed in account stack too. If pam_mount.so cannot operate in > > account stack (consult with pam_mount documentation), pam_localuser.so > > cannot help you. > > I think (but am not sure) pam_mount can not operate in account stack. > The documentation is very limited and doesn't say anything about that. > > > You could however patch pam_localuser source so that it can operate also > > in session stack in order to be helpful for you. > > That's something I will consider after I've made sure the online > documentation I found is indeed incorrect (and you are right about > pam_localuser isn't able to operate in session stack). > > I thought it might help if I used this module: > http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_loginuid.ht >ml However I'm not sure what exactly it is for, I thought it might be > necessary for correctly identifying the uid of the user which logs on? > Anyway, this module isn't installed on my system, a quick search on the > internet provided that 'Linux SE' (security enhanced linux) is needed for > this. But there is not much I can find about this issue. > > Another problem that occured is that my 'gksu' is broken by 'auth > required pam_mount.so' (that seems to be a common problem and I didn't > find a solution for it yet, any comments on that are also welcome). So > after three days of trial and nothing but error ;-) and considering the > problem with gksu I'm thinking about dropping pam_mount and try some > other approach. But I don't want to give up to soon, so any thoughts on > these problems are still very welcome. > > Greetings, > Heiko > > _______________________________________________ > Pam-list mailing list > Pam-list@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/pam-list -- Wilhelm _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
