>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Leonard Isham >Sent: Monday, November 21, 2005 2:18 PM >To: For users of Fedora Core releases >Subject: Re: Granting su rights to users? Using PAM and Kerberos... > > >On 11/21/05, Daniel B. Thurman <dant@xxxxxxxxx> wrote: >> >> Hmm.. I enabled Kerberos and setup pam files to use kerberos >> authenications, and I also added root principal (root@REALM) but >> I am still being prevented as a normal user to use 'su' >> >> I have been all over google and tried to find a solution but there >> was none to be found. I did see for BSD that you can use the >> kdb_edit command to add per user , root permissions but I think >> that is for Kerberos IV only. >> >> I am beginning to wonder if kerberos is even worth it anymore or >> if it is being replaced with something else like the >Directory Service? >> No one seems to be talking much about kerberos in this newsgroup >> so it seems. >> >> Anyway - can someone please shed some light here so that >> I can at least su root as a normal user? > >Check /etc/pam.d/su > >-- >Leonard Isham, CISSP >Ostendo non ostento. Is there something I need to look for in /etc/pam.d/su? /etc/pam.d/su ==================================================== #%PAM-1.0 auth sufficient /lib/security/$ISA/pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required /lib/security/$ISA/pam_wheel.so use_uid auth required /lib/security/$ISA/pam_stack.so service=system-auth account required /lib/security/$ISA/pam_stack.so service=system-auth password required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so close must be first session rule session required /lib/security/$ISA/pam_selinux.so close session required /lib/security/$ISA/pam_stack.so service=system-auth # pam_selinux.so open and pam_xauth must be last two session rules session required /lib/security/$ISA/pam_selinux.so open multiple session optional /lib/security/$ISA/pam_xauth.so ==================================================== The following changes were made to /etc/pam.d/system-auth per: http://www.ofb.net/~jheiss/krbldap/howto.html /etc/pam.d/system-auth ==================================================== #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account required /lib/security/$ISA/pam_access.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so account required /lib/security/$ISA/pam_access.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_krb5.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_krb5.so ==================================================== Thanks, Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date: 11/20/2005
