LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-17-2008, 11:19 PM   #1
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Rep: Reputation: 30
vmware pam.d how do i enable nis?


I'm having nothing but a headache getting vmware's auth daemon to recognize NIS accounts. I've tried several things, but am coming up empty.

In the VMWare documentation, it states:
Quote:
The default installation of VMware Server uses standard Linux /etc/passwd authentication, but can be configured to use LDAP, NIS, Kerberos or another distributed authentication mechanism.
However it does not say how to do this.

My understanding of PAM is just enough to break it =)

The /etc/pam.d/vmware-authd file that installed with VMWare is:
Code:
#%PAM-1.0
auth       sufficient       /lib/security/pam_unix2.so shadow nullok
auth       required         /lib/security/pam_unix_auth.so shadow nullok
account    sufficient       /lib/security/pam_unix2.so
account    required         /lib/security/pam_unix_acct.so
Can somebody please help? I need to know how to change this to check NIS.

Thanks!
 
Old 01-19-2008, 08:28 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
TS steps to configure NIS with the The Linux NIS(YP)/NYS/NIS+ HOWTO?
 
Old 01-20-2008, 10:01 AM   #3
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
Thanks for the link. Something just isn't fitting for me though...

The doc recommends pam_unix2.so, which I can't seem to find on my system.

I've tried the following after reading /usr/share/doc/pam-0.99.8.1/txts/README.pam_unix, but still no dice:
Code:
#%PAM-1.0
auth       required         pam_unix.so nis nullok debug
account    required         pam_unix.so nis nullok try_first_pass debug
When I try to access VM's as an NIS user, I still get the "Operation not permitted" message on the GUI, and the following in the vmware-serverd.log:
Code:
Jan 20 10:29:38: app| SP: Retrieved username: mjeasly
Jan 20 10:29:38: app| Failed to get password entry for : mjeasly. Reason: Success
Jan 20 10:29:38: app| impersonate Impersonate_Undo called when refCount == 0
Jan 20 10:29:38: app| SP: Retrieved username: mjeasly
Jan 20 10:29:38: app| Failed to get password entry for : mjeasly. Reason: Success
Jan 20 10:29:38: app| impersonate Impersonate_Undo called when refCount == 0
Jan 20 10:29:39: app| SP: Rejecting command base on path: : 2
On the stock pam config for vmware_authd, I get the same in vmware-serverd.log.

"Failed to get password entry ... Reason: Success" is particularly conbfusing...
 
Old 01-20-2008, 05:19 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
pam_unix2 is ancient. Could you please first focus on making sure all main components of what NIS needs are installed on both server and client before moving on to checking configuration on both ends?
 
Old 01-21-2008, 08:27 AM   #5
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
NIS / NFS are fully installed, configured and functional. Console login, GDM login, ssh, FTP, etc all work properly with NIS accounts. To my (somewhat limited) knowledge, everything is settled except VMWare's authentication daemon.

The only reason I mentioned pam_unix2 is because that is used both in the PAM HOWTO and the default /etc/pam.d/vmware_authd. pam_unix2 is not being used in any other pam.d files.

Both systems are fully patched Fedora 8 systems from the official repositories, so I assume PAM and YP/NIS are relatively up to date.

If there is anything specific you'd like me to verify, please let me know where to look. As far as I can tell NIS seems to be working flawlessly with the exclusion of VMWare.
 
Old 01-21-2008, 08:34 AM   #6
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
Additional info:
PAM version is 0.99.8.1-10.fc8, packages installed:
Code:
[root@client ~]# yum list installed | grep pam
gnome-keyring-pam.x86_64                 2.20.2-1.fc8           installed
pam.x86_64                               0.99.8.1-10.fc8        installed
pam.i386                                 0.99.8.1-10.fc8        installed
pam-devel.i386                           0.99.8.1-10.fc8        installed
pam-devel.x86_64                         0.99.8.1-10.fc8        installed
pam_ccreds.x86_64                        4-3.fc8                installed
pam_ccreds.i386                          4-3.fc8                installed
pam_krb5.x86_64                          2.2.18-1               installed
pam_krb5.i386                            2.2.18-1               installed
pam_passwdqc.i386                        1.0.4-4                installed
pam_passwdqc.x86_64                      1.0.4-4                installed
pam_pkcs11.i386                          0.5.3-25               installed
pam_pkcs11.x86_64                        0.5.3-25               installed
pam_smb.x86_64                           1.1.7-7.2.2            installed
pam_smb.i386                             1.1.7-7.2.2            installed
PAM packages available:
Code:
[root@client ~]# yum list available | grep pam
gnome-keyring-pam.i386                   2.20.2-1.fc8           updates
mod_auth_pam.x86_64                      1.1.1-5.fc8            fedora
pam_abl.i386                             0.2.3-3.fc7            fedora
pam_abl.x86_64                           0.2.3-3.fc7            fedora
pam_fprint.i386                          0.2-2.fc8              updates
pam_fprint.x86_64                        0.2-2.fc8              updates
pam_keyring.i386                         0.0.9-1.fc8            fedora
pam_keyring.x86_64                       0.0.9-1.fc8            fedora
pam_mount.x86_64                         0.18-2.fc8             fedora
pam_mount.i386                           0.18-2.fc8             fedora
pam_ssh.i386                             1.92-6.fc8             updates
pam_ssh.x86_64                           1.92-6.fc8             updates
torque-pam.x86_64                        2.1.10-1.fc8           updates
torque-pam.i386                          2.1.10-1.fc8           updates
NIS/YP installation:
Code:
[root@client ~]# yum list installed | grep yp
yp-tools.x86_64                          2.9-2                  installed
ypbind.x86_64                            3:1.20.4-2.fc8         installed

Last edited by whysyn; 01-21-2008 at 08:39 AM.
 
Old 01-22-2008, 09:32 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
It's weird since you say everyhting else works.
Does /etc/pam.d/vmware-authd pam_unix support the "audit" tag? Should be more informative compared to "debug".
You've shown vmserver log, what do system logs say wrt PAM? By any chance anything wrt SELinux in any logs?
 
Old 01-22-2008, 09:51 AM   #8
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
SELinux is running in permissive mode.

I will look at all updated logs and post relevant lines from another test login. To be sure, which /etc/pam.d/vmware_authd file should I try? The original? My hacked up two liner with pam_unix (substituting audit for debug, of course)? Something else?

Thanks again for all your help! I've gotten nary a response on the VMWare community boards...
 
Old 01-22-2008, 10:12 AM   #9
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
Using this in /etc/pam.d/vmware_authd:
Code:
#%PAM-1.0
auth       required         pam_unix.so nis nullok audit
account    required         pam_unix.so nis nullok try_first_pass audit
Causes the following logs:
/var/log/vmware/vmware-serverd.log
Code:
Jan 22 10:55:03: app| New connection on socket server-vmdb from host hostname.hmon.net (ip address: 127.0.0.1) , user: foouser
Jan 22 10:55:03: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:03: app| SP: New user session for user: foouser, pos: 2
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| The vm-list file has changed! Reloading the list of registered vms
Jan 22 10:55:11: app| SP: Retrieved username: foouser
Jan 22 10:55:11: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:11: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:13: app| SP: Retrieved username: foouser
Jan 22 10:55:13: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:13: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:14: app| SP: Retrieved username: foouser
Jan 22 10:55:14: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:14: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:15: app| SP: Retrieved username: foouser
Jan 22 10:55:15: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:15: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:17: app| SP: Retrieved username: foouser
Jan 22 10:55:17: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:17: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:18: app| SP: Retrieved username: foouser
Jan 22 10:55:18: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:18: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:19: app| SP: Rejecting command base on path: : 2
/var/log/messages:
Code:
Jan 22 10:55:01 hostname xinetd[7835]: START: vmware-authd pid=13271 from=127.0.0.1
Jan 22 10:55:03 hostname xinetd[7835]: EXIT: vmware-authd status=0 pid=13271 duration=3(sec)
/var/log/audit/audit.log:
Code:
type=USER_AUTH msg=audit(1200999303.691:77655): user pid=13271 uid=0 auid=4294967295 subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=foouser exe="/usr/sbin/vmware-authd" (hostname=?, addr=?, terminal=? res=success)'
type=USER_ACCT msg=audit(1200999303.692:77656): user pid=13271 uid=0 auid=4294967295 subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=foouser exe="/usr/sbin/vmware-authd" (hostname=?, addr=?, terminal=? res=success)'
type=CRED_ACQ msg=audit(1200999303.692:77657): user pid=13271 uid=0 auid=4294967295 subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=foouser exe="/usr/sbin/vmware-authd" (hostname=?, addr=?, terminal=? res=success)'
 
Old 01-22-2008, 10:14 AM   #10
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Quote:
Originally Posted by whysyn View Post
SELinux is running in permissive mode.
Was worth a try ;-p


Quote:
Originally Posted by whysyn View Post
I will look at all updated logs and post relevant lines from another test login.
Reference material is always nice.


Quote:
Originally Posted by whysyn View Post
To be sure, which /etc/pam.d/vmware_authd file should I try? The original? My hacked up two liner with pam_unix (substituting audit for debug, of course)?
I'd use your hacked up one, after all you only need one of auth and account to test with.


Quote:
Originally Posted by whysyn View Post
Thanks again for all your help! I've gotten nary a response on the VMWare community boards...
Yeah, I saw that. And *they're* the ones that should know about everything VMware.


One other thing I'm thinking of is maybe run tcpdump or Wireshark as well during trials. See if anything does send or receive NIS packets when you try the PAM vmware_authd service.
 
Old 01-22-2008, 11:39 AM   #11
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
(You probably didn't get a notification on my post because you were replying while i typed it... just in case *BUMP*)
 
Old 01-23-2008, 06:37 PM   #12
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
I'm subscribed to this thread so I should see it, NP. Let's try something completely different. Could you please change your PAM stack to auth against a working local unprivileged user account instead and see if you can get auth'ed?
 
Old 01-24-2008, 09:00 AM   #13
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
I'll be on site tonight (been working remotely all week so far).

I planned to set up a fresh server and test a fresh VMWare install without NIS. I'll post results tonight.
 
Old 01-27-2008, 08:09 AM   #14
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Any results fo far?
 
Old 02-07-2008, 01:36 PM   #15
whysyn
Member
 
Registered: Jun 2003
Location: Cleveburg, OH
Distribution: mostly Fedora
Posts: 154

Original Poster
Rep: Reputation: 30
Sorry for the delay... I had the baby, my wife, then myself sick.

When authenticating against a local account, using the default /etc/pam.d/vmware_authd, everything works fine.

At this point we're in production on three servers and are manually keeping the user accounts matched. I'll have to get my hands on a spare box to try more troubleshooting with NIS.
 
  


Reply

Tags
ads, auth, pam, samba, vmware, winbind


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] How to enable BOTH virtual & local vsftpd logins with PAM? quasidynamic Linux - Software 3 08-12-2010 12:00 PM
PAM access.conf not reading NIS netgroup regomatic Linux - Security 1 09-19-2007 12:21 AM
NIS and VMware abedd Linux - Server 3 01-15-2007 01:54 AM
Common use of NFS, SAMBA, NIS, LDAP, PAM eve Linux - Networking 4 12-12-2005 08:58 AM
NIS and pam/gdm authentication failure cquense Linux - Networking 0 07-05-2001 03:08 AM


All times are GMT -5. The time now is 01:43 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration