LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-06-2010, 12:03 PM   #1
OneOldGeek
LQ Newbie
 
Registered: May 2010
Posts: 5

Rep: Reputation: 0
initgroups: Operation not permitted


I installed libpam-ldap on a fresh Lucid 10.04 installation. After configuring the appropriate files, I am able to login and operate fine using either LDAP or local password authentication . However, when I:

$ su - mortaluser
Password: LDAP_PASSWORD
initgroups: Operation not permitted

The auth.log has a similar message:

initgroups failed for user 'mortaluser': Operation not permitted

Using the local password is fine:

$ su - mortaluser
Password: LOCAL_PASSWORD
$ mortaluser: _

Using sudo is fine:

$ sudo su - mortaluser
[sudo] password for mortaluser: EITHER_PASSWORD
$ mortaluser: _

I have spent a lot of time searching to no avail. I have looked at most of the Google hits, and tried many (even the older ones). Any help or feedback would be greatly appreciated!

- Doug
 
Old 05-06-2010, 06:55 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Did you modify /etc/pam.d/su ? I'm not sure where your nss ldap.conf is on Lucid ( the RH family use /etc/ldap.conf ) but do you have any nss_initgroups* lines in it ?
 
Old 05-07-2010, 09:56 AM   #3
OneOldGeek
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
Thanks for the response!

No, I have not modified /etc/pam.d/su. I have not manually changed anything other than the /etc/ldap.conf.

Here is /etc/pam.d/su (comments removed for brevity):

auth sufficient pam_rootok.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_mail.so nopen
@include common-auth
@include common-account
@include common-session

common-auth:

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so

common-account:

account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so

common-session:

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_ck_connector.so nox11


P.S. I mv'd su to su.org and the results were the same.

Last edited by OneOldGeek; 05-07-2010 at 11:44 AM.
 
Old 05-07-2010, 11:03 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Could you please post the mode and ownership of /bin/su ?

I'd expect something like:

-rwsr-xr-x. 1 root root 32712 2010-01-13 01:35 /bin/su

Last edited by kbp; 05-07-2010 at 11:04 PM.
 
Old 05-11-2010, 12:36 PM   #5
OneOldGeek
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
kbp,

Thanks for your help! I have been pulling my hair out over this.

su:

$ ll /bin/su
-rwsr-xr-x 1 root root 31100 2010-01-26 10:09 /bin/su*

BTW: I thought I posted this yesterday. I clicked "Post Quick Reply". But, my token had expired and I did not notice until today.
 
Old 05-12-2010, 12:14 AM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Just rereading you original post, do you have the same account name (mortaluser) locally and in ldap ? .. I'd probably remove the local accounts after ldap'ing the host

Might need an strace to see what's happening - can you run 'strace -o /tmp/su_strace.txt su - mortaluser' and post the output ?


cheers
 
Old 05-12-2010, 04:27 PM   #7
OneOldGeek
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
When I use strace, either password gives the initgroups error. I tried pulling mortaluser fromt he password file, but was not able to sudo at all.
 
Old 05-12-2010, 10:01 PM   #8
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Do you have nscd running ? .. if not, could you try turning it on ?
 
Old 05-13-2010, 09:57 AM   #9
OneOldGeek
LQ Newbie
 
Registered: May 2010
Posts: 5

Original Poster
Rep: Reputation: 0
I did not have it running. I used the Synaptic Package Manager to install nscd and it is now running. The results have not changed.

Since this is a corner case issue and I have a workaround, I will document it and see if it resolves in the future.

Thank you for your feedback and help.

- Doug
 
Old 05-14-2010, 02:26 AM   #10
timoD
LQ Newbie
 
Registered: May 2010
Posts: 1

Rep: Reputation: 0
I also have the same problems with PAM, can't change users with su ( operation not permitted) and I also can't change users passwords with passwd when logged in as themselves, NSCD is running

If I understand well this is a not yet solved bug in Ubuntu 10.4?

edit: link to the bug reports https://bugs.launchpad.net/ubuntu/ka...ap/+bug/423252

Last edited by timoD; 05-14-2010 at 07:07 AM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
named: initgroups(): Operation not permitted smart_shell Linux - Newbie 1 02-24-2010 09:54 PM
Operation not permitted jakkals Linux - General 3 09-26-2005 07:30 PM
su : initgroups: Operation not permitted Jskill007 Linux - Newbie 2 08-21-2004 04:05 PM
operation not permitted jamaso Slackware 2 05-08-2004 05:55 AM
Operation not permitted FrozenShadow23 Linux - Newbie 6 10-05-2003 05:13 PM


All times are GMT -5. The time now is 10:20 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration