Re: pam/winbind user not found problem

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Thu, Jul 16, 2009 at 11:58, Les Mikesell<les@xxxxxxxxxxxxxxxx> wrote:
> This isn't strictly a PAM issue, but rather with the default RHEL5.x
> configuration (and Centos, and probably fedora).  Does anyone know what they
> were thinking?

Ostensibly, they were trying to authenticate system users without
passing said users' credentials on to winbind.  Whether intentional or
not, it seems they assumed users would have a UID that could be
resolved by pam_unix.  That's often the case, but with proper
enterprise-level user management (no local accounts) the assumption

> Should most pam auth modules know anything about uid's?

By all means - auth is probably the most important place for UIDs/GIDs
to be known.

> I thought that was account info.  If the idea is to keep the 'system' accounts
> (below 500 by convention)in the passwd file, is there a better way to do it?

Probably should have used something to this effect instead of 'requisite':

[success=ok new_authtok_reqd=ok ignore=ignore default=die user_unknown=ignore]

Which is, of course, according to pam.conf(5) the same as 'requisite'
with the added control of ignoring unknown users.  Allows the stack to
shortcut if it's a system user with bad credentials but still passes
completely unresolved credentials on.

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux