su not giving proper message for restricted LDAP groups
Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Now, only this ldap group members can login to system.
However when from any of this authorised user, I tried for su, it asks for password and then though I enter correct passwoord it gives message like Incorrect password and login failed.
/var/log/secure shows that user is not having permission to get the access, but then it should print message like Access denied.The way it prints for console login.
My functionality is working but its no giveing proper messages.Could anyone please help on this.
My /etc/pam.d/su file,
Code:
[root@test root]# cat /etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth include system-auth
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session optional pam_xauth.so
Several different pieces are in play here. Being that you can at least login using an LDAP account, I'd venture a guess that the LDAP server is at least configured correctly. We'll also need to see your system-auth file to see what it's doing. Then it may be off to other places as well.
One thing you might want to do is restart the LDAP server from the command line in debug mode and watch what happens when you run the su command. that will probably provide the most information. You might start with -1 (produces a LOT of output) and back off from there. Sometimes 256 is a good value as well, as it only displays operations and not much else.
I don't see anything the matter there, but get your database cleaned up (see my reply to your group lookup problem) and then see what works and what doesn't.
what I have observed that,when I tried to su for unauthorized users. It gives access denied message in /var/log/secure
Code:
Oct 16 06:50:12 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'
Oct 16 06:50:47 localhost su: pam_access(su:account): access denied for user `kalpana' from `pts/4'
However, I guess this should be printed just when I try for su with user kalpana.
Is there any way to handle messages before login for LDAP users through PAM files
Hmm. It was late last night and I was thinking sudo, not su.
The su command works like this: If you type the target user's password, then su will authorize you for that id and either run the command you specified after -c or present you with a shell prompt. If you don't know the password, then it simply says "Sorry" and returns you to your original shall prompt. You'll also see a message in the log like the one you showed above.
The apparent exceptions in /etc/pam.d/su, but commented out in your example, are for members of group "wheel". One will implicitly trust members of that group, and the other will require that a user be a member of that group in order to succeed, even if the correct password is entered. Since they are commented out, neither of those cases will apply.
Is su behaving this way for both local and LDAP users? (maybe show the output so we can understand better if this is not the case)
Now I have added local user named tester. Now this user is also denied access, using PAM configuration as above.
Code:
[skimeer@test root]$ su tester
Password:
su: incorrect password
[skimeer@test root]$
Log (/var/log/secure) shows,
Code:
Oct 17 13:21:30 localhost useradd[32237]: new group: name=tester, GID=10126
Oct 17 13:21:30 localhost useradd[32237]: new user: name=tester, UID=10126, GID=10126, home=/home/tester, shell=/bin/bash
Oct 17 13:21:45 localhost passwd: pam_unix(passwd:chauthtok): password changed for tester
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_limits(su:session): unknown limit item 'nofiles'
Oct 17 13:21:55 localhost su: pam_unix(su:session): session opened for user svaidya by root(uid=0)
Oct 17 13:22:04 localhost su: pam_access(su:account): access denied for user `tester' from `pts/3'
Hence there is no difference for LDAP users and Local users. I guess something we can play around su configuration to modify these messages. Mainly something for pam_access.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.