>From: fedora-list-bounces@xxxxxxxxxx >[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Daniel B. Thurman >Sent: Monday, November 21, 2005 4:15 PM >To: For users of Fedora Core releases >Subject: RE: Granting su rights to users? Using PAM and Kerberos... > > >>From: fedora-list-bounces@xxxxxxxxxx >>[mailto:fedora-list-bounces@xxxxxxxxxx]On Behalf Of Leonard Isham >>Sent: Monday, November 21, 2005 2:18 PM >>To: For users of Fedora Core releases >>Subject: Re: Granting su rights to users? Using PAM and Kerberos... >> >> >>On 11/21/05, Daniel B. Thurman <dant@xxxxxxxxx> wrote: >>> >>> Hmm.. I enabled Kerberos and setup pam files to use kerberos >>> authenications, and I also added root principal (root@REALM) but >>> I am still being prevented as a normal user to use 'su' >>> >>> I have been all over google and tried to find a solution but there >>> was none to be found. I did see for BSD that you can use the >>> kdb_edit command to add per user , root permissions but I think >>> that is for Kerberos IV only. >>> >>> I am beginning to wonder if kerberos is even worth it anymore or >>> if it is being replaced with something else like the >>Directory Service? >>> No one seems to be talking much about kerberos in this newsgroup >>> so it seems. >>> >>> Anyway - can someone please shed some light here so that >>> I can at least su root as a normal user? >> >>Check /etc/pam.d/su >> >>-- >>Leonard Isham, CISSP >>Ostendo non ostento. > >Is there something I need to look for in /etc/pam.d/su? > >/etc/pam.d/su >==================================================== >#%PAM-1.0 >auth sufficient /lib/security/$ISA/pam_rootok.so ># Uncomment the following line to implicitly trust users in >the "wheel" group. >#auth sufficient /lib/security/$ISA/pam_wheel.so trust use_uid ># Uncomment the following line to require a user to be in the >"wheel" group. >#auth required /lib/security/$ISA/pam_wheel.so use_uid >auth required /lib/security/$ISA/pam_stack.so >service=system-auth >account required /lib/security/$ISA/pam_stack.so >service=system-auth >password required /lib/security/$ISA/pam_stack.so >service=system-auth ># pam_selinux.so close must be first session rule >session required /lib/security/$ISA/pam_selinux.so close >session required /lib/security/$ISA/pam_stack.so >service=system-auth ># pam_selinux.so open and pam_xauth must be last two session rules >session required >/lib/security/$ISA/pam_selinux.so open multiple >session optional /lib/security/$ISA/pam_xauth.so >==================================================== > >The following changes were made to /etc/pam.d/system-auth >per: http://www.ofb.net/~jheiss/krbldap/howto.html > >/etc/pam.d/system-auth >==================================================== >#%PAM-1.0 ># This file is auto-generated. ># User changes will be destroyed the next time authconfig is run. >auth required /lib/security/$ISA/pam_env.so >auth sufficient /lib/security/$ISA/pam_unix.so >likeauth nullok >auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass >auth required /lib/security/$ISA/pam_deny.so > >account required /lib/security/$ISA/pam_unix.so >account required /lib/security/$ISA/pam_access.so >account [default=bad success=ok user_unknown=ignore >service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so >account required /lib/security/$ISA/pam_access.so > >password requisite /lib/security/$ISA/pam_cracklib.so retry=3 >password sufficient /lib/security/$ISA/pam_unix.so >nullok use_authtok md5 shadow >password sufficient /lib/security/$ISA/pam_krb5.so use_authtok >password required /lib/security/$ISA/pam_deny.so > >session required /lib/security/$ISA/pam_limits.so >session required /lib/security/$ISA/pam_unix.so >session optional /lib/security/$ISA/pam_krb5.so >==================================================== > >Thanks, >Dan > I have used the gui-based authtenication tool with then authenication tab and selected everything but the Winbind support and now when I try to su root as a normal user, I get the message: # su: cannot set groups: No such file or directory In the /var/log/message file, it says: Nov 21 17:05:48 linux su(pam_unix)[5728]: authentication failure; logname= uid=500 euid=500 tty=pts/4 ruser=dant rhost= user=root Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: authentication succeeds for 'root' (root@xxxxxxxxx) Nov 21 17:05:48 linux su(pam_unix)[5728]: ERROR 0:Success Nov 21 17:05:48 linux su(pam_unix)[5728]: session opened for user root by (uid=500) Nov 21 17:05:48 linux su[5728]: Warning! Could not relabel /dev/pts/4 with root:object_r:devpts_t, not relabeling.Operation not permitted Nov 21 17:05:48 linux su(pam_unix)[5735]: session closed for user root Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV' Nov 21 17:05:48 linux su(pam_unix)[5728]: session closed for user root Nov 21 17:05:48 linux su[5728]: pam_krb5[5728]: error removing ccache file '/tmp/krb5cc_0_RNoyDV' So, it appears that PAM is somehow preventing normal users to su as root, kerberos claims that the password is valid, and SElinux is saying that it does not allow su to relabel tje /dev/pts/4 tty and finally su is not allowed to delete the cache file. Geez... what the heck is going on??? HELP PLEASE? Dan -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date: 11/20/2005
