Linux Authenticating against Windows 2003 Server: su error
Let's start with the setup:
box1: Red Hat 5.2 box2: Windows 2003 SP2 (NOT Windows 2003 R2) root: local linux account testuser: Windows AD Account testuser2: Windows AD Account I have setup authentication using ldap/kerberos so that I can authenticate users against my Windows Domain Server. I can ssh and login to the box by either testuser, testuser2 or root. If I login to root first I can su - testuser and that works too. If I ssh to the box and login as testuser and then try to "su - " I get the following error: su: pam_krb5[19014]: authentication fails for 'root' (root@DOMAIN.COM): User not known to the underlying authentication module (Client not found in Kerberos database) If I try to su to another AD account (ex. testuser2), I get a password failed (su: incorrect password). I do not see any errors in the secure log file. In the messages log file I see the following: Apr 2 17:25:09 hugorhel5 pcscd: winscard.c:304:SCardConnect() Reader E-Gate 0 0 Not Found Apr 2 17:25:09 hugorhel5 last message repeated 3 times Apr 2 17:25:09 hugorhel5 su: pam_krb5[19538]: authentication succeeds for 'testuser2' (testuser2@DOMAIN.COM) in /var/log/audit/audit.log I see the following error too: type=USER_AUTH msg=audit(1238714712.015:296): user pid=19538 uid=10000 auid=0 subj=root:system_r:unconfined_t:s0-s0:c0.c1023 msg='PAM: authentication acct="testuser2" : exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 res=failed)' I have not touched my PAM configuration. I used the GUI to enable ldap and kerberos authentication and thus my nsswitch.conf file looks like: passwd: files ldap shadow: files ldap group: files ldap So at the end of the day I can only login directly as a user but I cannot su to any other user if I am a user in AD. Any suggestions or ideas? |
Hmm, so essentially you aren't able to authenticate to local accounts via su? have you possibly tried a noddy local account as another combination of factors? I think that this has to be PAM related, and initially I'd think it shoudl be something in the /etc/pam.d/su file, as it also seems su specific so far, and su appears to be directly hitting krb5, bypassing pam_unix. Having said that though I can't see why that should be able to be incorrect, as it should be going via system-auth for generic authentication. what does the pam su file say?
|
If you think PAM is hitting the krb authentication module and not hitting the pam_unix, why is it possible to su from a local account to a local account? Also, why is it NOT possible to su from an AD account to an AD account?
Thanks |
well pam uses a central system-auth file in conjunction with specific configuration for each service via an include or the stack module. so the config is partially common, partially specific. so what does /etc/pam.d/su say?
|
If I login as a local user, I can su to any other local account fine and su to an ldap user (and then the fun stops). Once I get into a ldap user I can't su anymore.
My system-auth file looks like this: auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so My su file looks like this: auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so Any ideas? It seems like it should use system-auth. |
I figured it out, it was the PAM su module that was modified without me knowing. Thanks for your help and guidance.
|
I presume it was the wheel line? Sorry, I didn't get a chance to think about this today.
|
All times are GMT -5. The time now is 12:47 AM. |