Ubuntu
libpam-ccreds package

pam-auth-update creates a 'common-account' that fails with cached logins

Bug #799605 reported by Nick Piggott
26
This bug affects 4 people
Affects Status Importance Assigned to Milestone
libpam-ccreds (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Running Ubuntu 11.04 on a Dell Mini 1018 Netbook

On a system running LDAP, Kerberos and Cached Credentials, pam-auth-update creates a 'common-account' file that will always fail if the machine uses cached credentials (presumably because it's offline).

The relevant lines from the common-account file:

# here are the per-package modules (the "Primary" block)
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
account required pam_krb5.so minimum_uid=1000
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
# end of pam-auth-update config

This will always fail if the machine is off-line, because pam_unix.so will fail and cause the module to end with the next line which makes pam_deny.so a requisite.

As a patch, I have commented out all of common-account except the line requiring pam_permit.so, but this is unsatisfactory.

Two solutions could be proposed:
* Write a common-account file that will pass if all the component modules fail due to the user or the service being absent. That is - only fail if it is explicitly required to fail, rather than failing if pam_unix.so fails because the user is in ldap or cached.
* Implement a (dummy?) "account" method in pam_ccreds and add that into the relevant profile for cached credentials in pam_auth_update

See original description
Nick Piggott (nick-piggott)
description: updated
Revision history for this message
Steve Langasek (vorlon) wrote :

> * Implement a (dummy?) "account" method in pam_ccreds and add that into the
> relevant profile for cached credentials in pam_auth_update

That's what needs to happen here. pam_unix has no way of knowing why the user's shadow entry is missing; and arguably this is a bug in your NSS setup anyway rather than anything to do with PAM, because NSS should be cached as well for offline use.

affects: pam (Ubuntu) → libpam-ccreds (Ubuntu)
Changed in libpam-ccreds (Ubuntu):
status: New → Incomplete
status: Incomplete → New
Revision history for this message
Nick Piggott (nick-piggott) wrote :

I agree that cached shadow would enable pam_unix to operate correctly.

As far as I'm aware, nss_updatedb does not support local caching of shadow, only passwd and group, and the db option can't be used on the shadow entry (only files and ldap) in nsswitch.conf. I presume that's because of security implications?

The absence of cached shadow would rule out using pam_unix at this stage.

It looks like your preferred option is to add "account" method support to pam_ccreds, and the presumably amend pam-auth-update to include that in the module processing.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in libpam-ccreds (Ubuntu):
status: New → Confirmed
Revision history for this message
uwe (maabdulhaq) wrote :

I've also got it to work by commenting out the line:

account requisite pam_deny.so

in common-account

This is also not satisfactory i guess; it will never deny, right?

Revision history for this message
Nick Piggott (nick-piggott) wrote :

I've subsequently implemented a slightly more elegant solution:

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

This works. There are more useful options in the pam_ldap.so module, but I can't get them to behave properly and I am not a PAM guru. I'm a bit fed up of locking myself out of my own system.

pam-auth-update needs an update.

Revision history for this message
Nick Piggott (nick-piggott) wrote :

** PLEASE IGNORE THE ABOVE COMMENT **
It's the wrong common-account.

This is the correct one:

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 authinfo_unavail=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

The critical section is "authinfo_unavail=1" in the pam_ldap.so line, which causes the module to pass if LDAP is absent.

Revision history for this message
uwe (maabdulhaq) wrote :

i second #6 , the recipe here http://ubuntuforums.org/showthread.php?t=1708785 works for me too, the critical section is also as mentioned authinfo_unavail=1 . fixing this will boost ubuntu linux usage in network environment with central auth !

Revision history for this message
uwe (maabdulhaq) wrote :

So, what can fix this bug? does pam-update-auth have a mechanism to make complix or mutually exclusive selections?

If not, either such a capability is to be impleneted; or a package for ldap+ccreds is created and user will have to manaully select it from the menu of pam-update-auth. is there other options?

Revision history for this message
yahia reda abdulqawi (yahiareda0) wrote :

a file that can be placed in /usr/share/pam-configs that will create another choice in pam-update-auth to use ldap in conjunction with ccreds is attached.

should it be included in ccreds package for example? or is there a totally different and/or better approach?

Revision history for this message
uwe (maabdulhaq) wrote :

the ldap-with-ccreds should include a line after priority saying:

Conflicts: ldap

as it does not stack over ldap, but actually is a slight modification of it, unless there is a cleaner way to actually modify ldap pam defs when used in conjunctions with ccreds.

my guess this https://wiki.ubuntu.com/PAMConfigFrameworkSpec is relevant.

uwe

Revision history for this message
uwe (maabdulhaq) wrote :

Modified version of the ldap-with-ccreds

Revision history for this message
Reinhard Mayr (czerwinski1977) wrote :

This helped me on 16.04: http://kennywest.blogspot.co.at/2007/04/pamccreds-howto.html

>> QUOTE
Update /etc/pam.d/common-auth:

auth sufficient pam_unix.so
auth [authinfo_unavail=ignore success=1 default=die] pam_ldap.so use_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=store use_first_pass
auth [default=done] pam_ccreds.so action=update use_first_pass

Update /etc/pam.d/common-account:

account sufficient pam_unix.so nullok_secure
account sufficient pam_ldap.so
account required pam_permit.so
<< QUOTE

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.