LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Desktop (https://www.linuxquestions.org/questions/linux-desktop-74/)
-   -   Can ssh to LDAP client workstation running CentOS 6.3 but cannot "su" on workstation (https://www.linuxquestions.org/questions/linux-desktop-74/can-ssh-to-ldap-client-workstation-running-centos-6-3-but-cannot-su-on-workstation-4175429174/)

scott.anderson 09-26-2012 03:58 PM

Can ssh to LDAP client workstation running CentOS 6.3 but cannot "su" on workstation
 
I have an LDAP server (RHEL 6.3) and about two dozen "client" workstations. Most are running CentOS 6.3, but some older ones are running Fedora 14.

I can ssh into the CentOS workstations but once I'm there, I can't "su" to another user. On the Fedora 14 machines, I can do both.

Since both things work on the Fedora 14 machines, I'm assuming that the fault is not with the RHEL server, the network, the firewalls or anything like that. I was looking specifically at PAM.

I spent a lot of time digging around here, since I felt like, with a running machine, I should be able to determine the differences and fix them, but I ultimately failed. I've written a blog entry about the whole investigation here:
https://blogs.wellesley.edu/cssysadm...entos-clients/

The very short version is something like this:

On the Fedora machine:
/etc/pam.d/su uses /etc/pam.d/system-auth which uses pam_ldap.so
/etc/pam.d/sshd uses /etc/pam.d/password-auth which uses pam_ldap.so
/etc/nsswitch.conf has passwd: files sss
/etc/openldap/ldap.conf is configured and ldapsearch works
/etc/sssd/sssd.conf is configured

On the CentOS machine:
/etc/pam.d/su uses /etc/pam.d/system-auth which uses pam_sss.so
/etc/pam.d/sshd uses /etc/pam.d/password-auth which uses pam_ldap.so
/etc/nsswitch.conf has passwd: files sss
/etc/openldap/ldap.conf is configured and ldapsearch works
/etc/sssd/sssd.conf is configured

I dumped all the configuration information using authconfig --savebackup on both machines and did a "diff -r" on those directories. The only seemingly-important difference I could find was in pam_sss.so versus pam_ldap.so. Whatever used pam_sss fails.

Strangely, when I did

authconfig --enableldapauth --update

the password-auth changed to pam_sss and so sshd failed as well as su.

All the details, probably more than you want, are in the blog above. This really seems like it should be easily solved, but I can't seem to do it, short of hand-editing files in /etc/pam.d/ and I believe that's supposed to be a no-no.

If I do a (successful) ssh on the CentOS machine, and an (unsuccessful) su on it, here are the /var/log/secure entries:

Sep 26 15:55:23 gibbon sshd[3254]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=gibbon.wellesley.edu user=anderson
Sep 26 15:55:23 gibbon sshd[3254]: Accepted password for anderson from 149.130.136.34 port 60351 ssh2
Sep 26 15:55:23 gibbon sshd[3254]: pam_unix(sshd:session): session opened for user anderson by (uid=0)
Sep 26 15:55:31 gibbon su: pam_unix(su-l:auth): authentication failure; logname=anderson uid=716 euid=0 tty=pts/1 ruser=anderson rhost= user=anderson
Sep 26 15:55:32 gibbon su: pam_sss(su-l:auth): authentication failure; logname=anderson uid=716 euid=0 tty=pts/1 ruser=anderson rhost= user=anderson
Sep 26 15:55:32 gibbon su: pam_sss(su-l:auth): received for user anderson: 4 (System error)
Sep 26 15:55:35 gibbon sshd[3256]: Received disconnect from 149.130.136.34: 11: disconnected by user
Sep 26 15:55:35 gibbon sshd[3254]: pam_unix(sshd:session): session closed for user anderson
[root@gibbon pam.d]


Any help or hints?

Thanks!

btncix 09-26-2012 07:20 PM

shooting in the dark here, but does su work when you are logged directly to the host instead of through ssh?

scott.anderson 09-27-2012 05:41 PM

Quote:

Originally Posted by btncix (Post 4790202)
shooting in the dark here, but does su work when you are logged directly to the host instead of through ssh?

Interesting thought. I got to the console today to check, and su does not work then, either. Thanks for the idea. -- Scott


All times are GMT -5. The time now is 11:38 PM.