su not giving proper message for restricted LDAP groups

skimeer · 10-12-2012, 09:41 AM

Hello,

I have configured PAM authentication on linux box to restrict particular group only to login.

I have enabled pam and ldap through authconfig and modified access.conf like below,

Code:

[root@test root]# tail -1 /etc/security/access.conf
- : ALL EXCEPT root test-auth : ALL

Also modified sudoers file, to get su for this group

Code:

[root@test ~]# tail -1 /etc/sudoers
%test-auth               ALL=/bin/su

Now, only this ldap group members can login to system.

However when from any of this authorised user, I tried for su, it asks for password and then though I enter correct passwoord it gives message like Incorrect password and login failed.

/var/log/secure shows that user is not having permission to get the access, but then it should print message like Access denied.The way it prints for console login.

My functionality is working but its no giveing proper messages.Could anyone please help on this.

My /etc/pam.d/su file,

Code:

[root@test root]# cat /etc/pam.d/su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

uk.engr · 10-13-2012, 02:43 AM

Dear I am new to LDAP can please let me know easy way to configure LDAP

skimeer · 10-13-2012, 01:41 PM

Hi uk.engr,

Below link will help you in openldap configuration.

http://www.openldap.org/doc/admin24/and

http://www.openldap.org/doc/admin22/install.html

skimeer · 10-15-2012, 05:36 AM

Does anyone has solution for my actual question

Matthew Hardin · 10-15-2012, 07:45 PM

Hey Skimeer,

Several different pieces are in play here. Being that you can at least login using an LDAP account, I'd venture a guess that the LDAP server is at least configured correctly. We'll also need to see your system-auth file to see what it's doing. Then it may be off to other places as well.

One thing you might want to do is restart the LDAP server from the command line in debug mode and watch what happens when you run the su command. that will probably provide the most information. You might start with -1 (produces a LOT of output) and back off from there. Sometimes 256 is a good value as well, as it only displays operations and not much else.

Hope this helps,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com

skimeer · 10-15-2012, 10:25 PM

Hey Matt,

I will test with restarting LDAP service. Meanwhile this is my system-auth

Code:

[root@test ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

Matthew Hardin · 10-15-2012, 11:01 PM

Hi Skimeer,

I don't see anything the matter there, but get your database cleaned up (see my reply to your group lookup problem) and then see what works and what doesn't.

Cheers,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com

skimeer · 10-16-2012, 12:27 AM

Hi Matt,

Backup/Restore did not resolve this issue.

what I have observed that,when I tried to su for unauthorized users. It gives access denied message in /var/log/secure

Code:

Oct 16 06:50:12 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'
Oct 16 06:50:47 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'

However, I guess this should be printed just when I try for su with user kalpana.

Is there any way to handle messages before login for LDAP users through PAM files

Matthew Hardin · 10-16-2012, 02:21 PM

Hmm. It was late last night and I was thinking sudo, not su.

The su command works like this: If you type the target user's password, then su will authorize you for that id and either run the command you specified after -c or present you with a shell prompt. If you don't know the password, then it simply says "Sorry" and returns you to your original shall prompt. You'll also see a message in the log like the one you showed above.

The apparent exceptions in /etc/pam.d/su, but commented out in your example, are for members of group "wheel". One will implicitly trust members of that group, and the other will require that a user be a member of that group in order to succeed, even if the correct password is entered. Since they are commented out, neither of those cases will apply.

Is su behaving this way for both local and LDAP users? (maybe show the output so we can understand better if this is not the case)

Cheers,

-Matt

Matthew Hardin
Symas - The LDAP Guys
http://www.symas.com

skimeer · 10-17-2012, 07:02 AM

Hi Matt,

Now I have added local user named tester. Now this user is also denied access, using PAM configuration as above.

Code:

[skimeer@test root]$ su tester
Password:
su: incorrect password
[skimeer@test root]$

Log (/var/log/secure) shows,

Code:

Oct 17 13:21:30 localhost useradd[32237]: new group: name=tester, GID=10126
Oct 17 13:21:30 localhost useradd[32237]: new user: name=tester, UID=10126, GID=10126, home=/home/tester, shell=/bin/bash
Oct 17 13:21:45 localhost passwd: pam_unix(passwd:chauthtok): password changed for tester
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_unix(su:session): session opened for user svaidya by root(uid=0)
Oct 17 13:22:04 localhost su: pam_access(su:account): access denied for user `tester' from `pts/3'

Hence there is no difference for LDAP users and Local users. I guess something we can play around su configuration to modify these messages. Mainly something for pam_access.

skimeer · 10-29-2012, 08:39 AM

Any one has comment on this...I am still struggling to get this resolved.

skimeer · 11-05-2012, 11:23 PM

I just checked with for single group only,In that case if I try for su. It gives proper message "like user must be member of x group"

Is there any restriction on using multiple groups.

skimeer · 12-14-2012, 08:19 AM

Could anyone please help me out in this.