RE: Granting su rights to users? Using PAM and Kerberos...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>From: fedora-list-bounces@xxxxxxxxxx
>[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman
>Sent: Monday, November 21, 2005 4:15 PM
>To: For users of Fedora Core releases
>Subject: RE: Granting su rights to users? Using PAM and Kerberos...
>
>
>>From: fedora-list-bounces@xxxxxxxxxx
>>[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Leonard Isham
>>Sent: Monday, November 21, 2005 2:18 PM
>>To: For users of Fedora Core releases
>>Subject: Re: Granting su rights to users? Using PAM and Kerberos...
>>
>>
>>On 11/21/05, Daniel B. Thurman <dant@xxxxxxxxx> wrote:
>>>
>>> Hmm..  I enabled Kerberos and setup pam files to use kerberos
>>> authenications, and I also added root principal (root@REALM) but
>>> I am still being prevented as a normal user to use 'su'
>>>
>>> I have been all over google and tried to find a solution but there
>>> was none to be found.  I did see for BSD that you can use the
>>> kdb_edit command to add per user , root permissions but I think
>>> that is for Kerberos IV only.
>>>
>>> I am beginning to wonder if kerberos is even worth it anymore or
>>> if it is being replaced with something else like the 
>>Directory Service?
>>> No one seems to be talking much about kerberos in this newsgroup
>>> so it seems.
>>>
>>> Anyway - can someone please shed some light here so that
>>> I can at least su root as a normal user?
>>
>>Check /etc/pam.d/su
>>
>>--
>>Leonard Isham, CISSP
>>Ostendo non ostento.
>
>Is there something I need to look for in /etc/pam.d/su?
>
>/etc/pam.d/su
>====================================================
>#%PAM-1.0
>auth       sufficient   /lib/security/$ISA/pam_rootok.so
># Uncomment the following line to implicitly trust users in 
>the "wheel" group.
>#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
># Uncomment the following line to require a user to be in the 
>"wheel" group.
>#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
>auth       required	/lib/security/$ISA/pam_stack.so 
>service=system-auth
>account    required	/lib/security/$ISA/pam_stack.so 
>service=system-auth
>password   required	/lib/security/$ISA/pam_stack.so 
>service=system-auth
># pam_selinux.so close must be first session rule
>session	   required	/lib/security/$ISA/pam_selinux.so close
>session    required	/lib/security/$ISA/pam_stack.so 
>service=system-auth
># pam_selinux.so open and pam_xauth must be last two session rules
>session	   required	
>/lib/security/$ISA/pam_selinux.so open multiple
>session    optional	/lib/security/$ISA/pam_xauth.so
>====================================================
>
>The following changes were made to /etc/pam.d/system-auth
>per: http://www.ofb.net/~jheiss/krbldap/howto.html
>
>/etc/pam.d/system-auth
>====================================================
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so 
>likeauth nullok
>auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
>auth        required      /lib/security/$ISA/pam_deny.so
>
>account     required      /lib/security/$ISA/pam_unix.so
>account     required      /lib/security/$ISA/pam_access.so
>account     [default=bad success=ok user_unknown=ignore 
>service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
>account     required      /lib/security/$ISA/pam_access.so
>
>password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
>password    sufficient    /lib/security/$ISA/pam_unix.so 
>nullok use_authtok md5 shadow
>password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
>password    required      /lib/security/$ISA/pam_deny.so
>
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>session     optional      /lib/security/$ISA/pam_krb5.so
>====================================================
>
>Thanks,
>Dan
>


I have used the gui-based authtenication tool with then
authenication tab and selected everything but the Winbind
support and now when I try to su root as a normal user,
I get the message:

# su: cannot set groups: No such file or directory

In the /var/log/message file, it says:

Nov 21 17:05:48 linux su(pam_unix)[5728]: authentication failure; logname= uid=500 euid=500 tty=pts/4 ruser=dant rhost=  user=root
Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: authentication succeeds for 'root' (root@xxxxxxxxx)
Nov 21 17:05:48 linux su(pam_unix)[5728]:  ERROR 0:Success
Nov 21 17:05:48 linux su(pam_unix)[5728]: session opened for user root by (uid=500)
Nov 21 17:05:48 linux su[5728]: Warning!  Could not relabel /dev/pts/4 with root:object_r:devpts_t, not relabeling.Operation not permitted
Nov 21 17:05:48 linux su(pam_unix)[5735]: session closed for user root
Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV'
Nov 21 17:05:48 linux su(pam_unix)[5728]: session closed for user root
Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV'

So, it appears that PAM is somehow preventing normal users to su as root, kerberos claims
that the password is valid, and SElinux is saying that it does not allow su to relabel
tje /dev/pts/4 tty and finally su is not allowed to delete the cache file.

Geez... what the heck is going on???

HELP PLEASE?

Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date: 11/20/2005
 


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux