[Pkg-shadow-devel] Before filling a bug i need some clarifications...

Marco Gaiarin gaio@sv.lnf.it
Tue, 14 Jun 2005 12:13:23 +0200 

[to the ssh and login mantainers]

I've just setup a new sarge server, a samba fileserver with ldap
backend.

After configuring pam_ldap and adding ldap support in *-common file,
eg:

	auth    sufficient      pam_ldap.so
	auth    required        pam_unix.so nullok_secure use_first_pass

to be able to login with ldap account *but* keep the ability to log
with ``fallback'' unix account (root, mine and some staff account),
i've noticed that the ``welcome screen'' was very different.


The problem are that if a ``sufficient'' stanza match, all subsequent
stanzas in the same level are simply discarded.

I've noted that in /etc/pam.d/ssh (but also login and su, so the CC)
the call to include *-common sometime are before other call to pam
modules in the same level:

  # Disallow non-root logins when /etc/nologin exists.
  auth       required     pam_nologin.so

  # Read environment variables from /etc/environment and
  # /etc/security/pam_env.conf.
  auth       required     pam_env.so # [1]

  # Standard Un*x authentication.
  @include common-auth

  # Standard Un*x authorization.
  @include common-account

  # Standard Un*x session setup and teardown.
  @include common-session

  # Print the message of the day upon successful login.
  session    optional     pam_motd.so # [1]

  # Print the status of the user's mailbox upon successful login.
  session    optional     pam_mail.so standard noenv # [1]

  # Set up user limits from /etc/security/limits.conf.
  session    required     pam_limits.so

  # Standard Un*x password updating.
  @include common-password


with this setup pam_motd.so, pam_mail.so and pam_limits.so are simply
not called at all. ;(

I've moved ``@include common-session'' after all the session stanzas,
and i've got back the ``normal'' motd and ``you have new mail'' login.


AFAIK using sufficient is the only way to achive different auth source
but preserving a ``fallback'', but also could be that i'm wrong.


If so, please explain me the right way. ;)


PS: Hem... i've found and read:

	/usr/share/doc/libpam-ldap/README.Debian

please, ignore this mail... ore at least state this in some config
file, so dumb people like me can read. ;(

-- 
dott. Marco Gaiarin				    GNUPG Key ID: 240A3D66
  Associazione ``La Nostra Famiglia''                http://www.sv.lnf.it/
  Polo FVG  -  Via della Bontà, 7 - 33078  -  San Vito al Tagliamento (PN)
  gaio(at)sv.lnf.it		tel +39-0434-842711    fax +39-0434-842797

	Per favore, aiutate gli Stati Uniti a salvarsi dai brevetti sul
		 software, salvando innanzitutto voi stessi.
		http://punto-informatico.it/p.asp?i=52786&p=2