Package: libpam-ccreds Version: 10-5 Severity: important Hi there!
With the default sid configuration, pam_ccreds.so fails to authenticate (at least) LDAP users with the following message: ===== luca@gismo:~$ su luca.capello Password: You have been logged on using cached credentials. su: Authentication failure luca@gismo:~$ ===== The problem is the pam_deny.so entry in /etc/pam.d/common-account (attached): as the comment states, "the default is to only deny service to users whose accounts are expired in /etc/shadow". Obviously, LDAP users are not in /etc/shadow and the LDAP server can not be contacted, thus the failure. FYI, this situation has already been reported in Ubuntu: <https://bugs.launchpad.net/ubuntu/+source/libpam-ccreds/+bug/294977> The only solution I found is to disable the pam_deny.so entry, but I agree with Nick Piggott (X-Debbugs-Cc:ed) about the optimal solution: A better solution would be to implement the account method for pam_ccreds, which would allow differentiation between a machine that's online but unable to reach the LDAP server, versus a machine that's genuinely offline and relying on cached credentials. Please note that per se this bug is not IMHO in libpam-ccreds, so feel free to either reassign it to libpam-modules or, probably better, to downgrade it to wishlist for the account method implementation. Thx, bye, Gismo / Luca -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (990, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.37-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-ccreds depends on: ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib ii libdb4.8 4.8.30-5 Berkeley v4.8 Database Libraries [ ii libgcrypt11 1.4.6-5 LGPL Crypto library - runtime libr ii libpam0g 1.1.2-2 Pluggable Authentication Modules l libpam-ccreds recommends no packages. Versions of packages libpam-ccreds suggests: pn nss-updatedb <none> (no description available) -- no debconf information
# # /etc/pam.d/common-account - authorization settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authorization modules that define # the central access policy for use on the system. The default is to # only deny service to users whose accounts are expired in /etc/shadow. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 # end of pam-auth-update config
pgp3Cuv3lBGho.pgp
Description: PGP signature
