PAM settings.

Hari_Ganesh · April 23, 2009, 4:44am

Hi Experts,

Appended is the pam.conf file in my Sol 5.10 client which uses AD for authentication(Followed scott Lowe's blog on AD-Solaris integration):

bash-3.00# cat /etc/pam.conf
##ident "@(#)pam.conf 1.31 07/12/07 SMI"
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth required pam_krb5.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth required pam_krb5.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth required pam_krb5.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account required pam_ldap.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.

I am able to login as any user(both local and AD)through ssh and telnet into my client. But i am not able to login using AD users from console(command line). Do i need to modify any PAM setings?
Your suggestions are most wanted.
Note- I am able to login using Local users(only) from console(command line)
HG

amitranjansahu · April 23, 2009, 5:52am

check the /etc/securetty file . if its empty the root user is not able to login via console

Hari_Ganesh · April 23, 2009, 6:25am

Amit,

I think u have misunderstood my question. I am able to login as root from command line.

My problem is that : AD users are able to log into my client through ssh and telnet. But the same AD users are not able to login through console(Command line).

I think a PAM module needs to be introduced or is blocking the process. Since i am no good in PAM,i have posted the same.
HG

incredible · April 23, 2009, 7:23am

Kindly post the contents of /etc/default/login file.

Hari_Ganesh · April 23, 2009, 7:43am

[1]d08083: cat /etc/default/login
#ident "@(#)login.dfl 1.10 99/08/04 SMI" /* SVr4.0 1.1.1.1 */
# Set the TZ environment variable of the shell.
#
#TIMEZONE=EST5EDT
# ULIMIT sets the file size limit for the login. Units are disk blocks.
# The default of zero means no limit.
#
#ULIMIT=0
# If CONSOLE is set, root can only login on that device.
# Comment this line out to allow remote login by root.
#
CONSOLE=/dev/console
# PASSREQ determines if login requires a password.
#
PASSREQ=YES
# ALTSHELL determines if the SHELL environment variable should be set
#
ALTSHELL=YES
# PATH sets the initial shell PATH variable
#
#PATH=/usr/bin:
# SUPATH sets the initial shell PATH variable for root
#
#SUPATH=/usr/sbin:/usr/bin
# TIMEOUT sets the number of seconds (between 0 and 900) to wait before
# abandoning a login session.
#
#TIMEOUT=300
# UMASK sets the initial shell file creation mode mask. See umask(1).
#
UMASK=022
# SYSLOG determines whether the syslog(3) LOG_AUTH facility should be used
# to log all root logins at level LOG_NOTICE and multiple failed login
# attempts at LOG_CRIT.
#
SYSLOG=YES
# SLEEPTIME controls the number of seconds that the command should
# wait before printing the "login incorrect" message when a
# bad password is provided. The range is limited from
# 0 to 5 seconds.
#
#SLEEPTIME=4
# RETRIES determines the number of failed logins that will be
# allowed before login exits.
#
RETRIES=3
#
# The SYSLOG_FAILED_LOGINS variable is used to determine how many failed
# login attempts will be allowed by the system before a failed login
# message is logged, using the syslog(3) LOG_NOTICE facility. For example,
# if the variable is set to 0, login will log -all- failed login attempts.
#
SYSLOG_FAILED_LOGINS=0

Perderabo · April 23, 2009, 8:31pm

I'm not a pam expert either. But a quick shot in the dark:

# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1

Hari_Ganesh · April 23, 2009, 10:40pm

Perderabo,My client uses kerberos for authentication and LDAP for authorisation with AD. That's the reason why the kerberos module has been added.

Perderabo · April 23, 2009, 11:31pm

Look again. The red line is a suggested addition. :rolleyes:

Hari_Ganesh · April 27, 2009, 4:05am

A million Thanks Perderabo....Adding the line has solved my issue.

incredible · April 29, 2009, 3:33am

whats the purpose of the extra line? Can explain? Looks helpful