Subject: /etc/pam.d/common-account should have pam_permit at the end Package: libpam-runtime Version: 1.1.1-3 Severity: important
I believe the default /etc/pam.d/common-account should have a pam_permit after the "Additional" section (just like with the "Primary"). Without that, if I put pam_ldap in the additional section and it returns an error (even if it is being ignored) I get an error message on login for non-LDAP accounts: # su -s /bin/sh - backup su: Permission denied (Ignored) $ I now have this pam_ldap line in the "Additional" section in /etc/pam.d/common-account: account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 The error code from pam_ldap is ignored for the calculation of the result of the stack but the last error code is still returned to the application. A better solution IMHO is to not differentiate between the "Primary" and "Additional" sections for account (see #583492 for that) but this at least will allow me to move pam_ldap to additional. -- System Information: Debian Release: squeeze/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: i386 (i686) Kernel: Linux 2.6.34-1-686 (SMP w/2 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libpam-runtime depends on: ii debconf 1.5.32 Debian configuration management sy ii libpam-modules 1.1.1-3 Pluggable Authentication Modules f libpam-runtime recommends no packages. libpam-runtime suggests no packages. -- debconf information: libpam-runtime/override: false libpam-runtime/conflicts: libpam-runtime/no_profiles_chosen: * libpam-runtime/profiles: unix, ldap, gnome-keyring, consolekit libpam-runtime/you-had-no-auth: -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong --
signature.asc
Description: This is a digitally signed message part
