I installed libpam-ldap on a fresh Lucid 10.04 installation. After configuring the appropriate files, I am able to login and operate fine using either LDAP or local password authentication . However, when I:

$ su - mortaluser
Password: LDAP_PASSWORD
initgroups: Operation not permitted

The auth.log has a similar message:

initgroups failed for user 'mortaluser': Operation not permitted

Using the local password is fine:

$ su - mortaluser
Password: LOCAL_PASSWORD
$ mortaluser: _

Using sudo is fine:

$ sudo su - mortaluser
[sudo] password for mortaluser: EITHER_PASSWORD
$ mortaluser: _

I have spent a lot of time searching to no avail. I have looked at most of the Google hits, and tried many (even the older ones). Any help or feedback would be greatly appreciated!

- Doug

Did you modify /etc/pam.d/su ? I'm not sure where your nss ldap.conf is on Lucid ( the RH family use /etc/ldap.conf ) but do you have any nss_initgroups* lines in it ?

Thanks for the response!

No, I have not modified /etc/pam.d/su. I have not manually changed anything other than the /etc/ldap.conf.

Here is /etc/pam.d/su (comments removed for brevity):

auth sufficient pam_rootok.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
session optional pam_mail.so nopen
@include common-auth
@include common-account
@include common-session

common-auth:

auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so

common-account:

account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
account requisite pam_deny.so
account required pam_permit.so

common-session:

session [default=1] pam_permit.so
session requisite pam_deny.so
session required pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session optional pam_ck_connector.so nox11


P.S. I mv'd su to su.org and the results were the same.

Could you please post the mode and ownership of /bin/su ?

I'd expect something like:

-rwsr-xr-x. 1 root root 32712 2010-01-13 01:35 /bin/su

kbp,

Thanks for your help! I have been pulling my hair out over this.

su:

$ ll /bin/su
-rwsr-xr-x 1 root root 31100 2010-01-26 10:09 /bin/su*

BTW: I thought I posted this yesterday. I clicked "Post Quick Reply". But, my token had expired and I did not notice until today.

Just rereading you original post, do you have the same account name (mortaluser) locally and in ldap ? .. I'd probably remove the local accounts after ldap'ing the host

Might need an strace to see what's happening - can you run 'strace -o /tmp/su_strace.txt su - mortaluser' and post the output ?


cheers

When I use strace, either password gives the initgroups error. I tried pulling mortaluser fromt he password file, but was not able to sudo at all.

Do you have nscd running ? .. if not, could you try turning it on ?

I did not have it running. I used the Synaptic Package Manager to install nscd and it is now running. The results have not changed.

Since this is a corner case issue and I have a workaround, I will document it and see if it resolves in the future.

Thank you for your feedback and help.

- Doug

I also have the same problems with PAM, can't change users with su ( operation not permitted) and I also can't change users passwords with passwd when logged in as themselves, NSCD is running

If I understand well this is a not yet solved bug in Ubuntu 10.4?

edit: link to the bug reports https://bugs.launchpad.net/ubuntu/ka...ap/+bug/423252