[Bug 454012] Re: pam-configs prevents root login with pam_unix

[Brian J. Murrell]

On Sun, 2009-10-18 at 18:26 +0000, Steve Langasek wrote:
> On Sun, Oct 18, 2009 at 03:30:21PM -0000, Brian J. Murrell wrote:
> > common-account:
> > account	[success=2 new_authtok_reqd=done default=ignore]	pam_unix.so debug audit
> > account	[success=1 default=ignore]	pam_ldap.so 
> 
> Where's the pam_deny line that was supposed to be here?

Ooops.  Yes, I missed it amongst the comments given that I had commented
it out in my debugging.  There is indeed a:

account requisite                       pam_deny.so

in there now, and now it works.  Not sure what even led me down this
path in the first place given the default works just fine.

Probably all of the ccreds messing around I have been doing.

> Your common-account does not match the system-managed file used by
> pam-auth-update.  The jumps are supposed to jump *to* pam_permit, not *over*
> it.

Indeed, and when you jump to a pam_permit *then* followed by the
pam_krb5 which should be ignored, it does indeed make sense in how it
all is supposed to work.

> Sure, because you're skipping the line that's supposed to set the return
> value for the stack (pam_permit).

Indeed.  Clear as day now.

> pam_krb5 doesn't set the return value for
> the stack when called for a non-Kerberos user, it returns PAM_IGNORE; and
> jumps also don't set the return value for the stack.  You have to hit either
> the pam_permit or the (missing) pam_deny line to set the stack's return
> value.

Thanx for the excellent clarification and my apologies for wasting your
time with this.

Now if we could just get pam-auth-update and pam_ccreds working, I
wouldn't have to diddle the files after the fact.

-- 
pam-configs prevents root login with pam_unix
https://bugs.launchpad.net/bugs/454012
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.

-- 
ubuntu-bugs mailing list
ubuntu-bugs at lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs