[Comm-en] PAM with ALT Linux
ab at altlinux.org
Fri Nov 9 22:07:52 MSK 2007
Dmitry V. Levin пишет:
> On Fri, Nov 09, 2007 at 02:56:02PM +0100, Daniel Rocher wrote:
>> I'm a developer and I have a problem with ALT Linux and PAM
>> My program use PAM. this is PAM configuration file:
>> auth required pam_unix.so nullok
>> auth required pam_listfile.so
>> file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
>> account required pam_unix.so
>> session required pam_unix.so
>> password required pam_unix.so
>> It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.2 ...
>> And I don't understand why not with Alt Linux (installed with
>> lite-cd-20071106.iso) ?
>> Have you an idee ?
> Could you provide more details how it doesn't work, please?
> Where it fails, how it fails, credentials of process which fails,
> log message (in /var/log/auth/all) if any, etc.
Shouldn't it be related to TCB? This PAM config completely ignores the
fact that auth info in default ALT Linux installation is done through
TCB, therefore pam_tcb should be used instead of pam_unix. Below is our
system-auth-local which is included by default by other services:
auth required pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
account required pam_tcb.so shadow fork
password required pam_passwdqc.so min=disabled,24,12,8,7 max=40
passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required pam_tcb.so use_authtok shadow fork prefix=$2a$
count=8 nullok write_to=tcb
session required pam_tcb.so
session required pam_mktemp.so
session required pam_limits.so
Daniel, you'd probably need to supply an ALTLinux-customized PAM config
for your application made along these lines. Better, use the following
auth include system-auth
auth required pam_listfile.so
file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account include system-auth
password include system-auth
session include system-auth
It relies on the fact that we have system-wide 'system-auth' PAM config
which does common magic (like system-auth-local above).
/ Alexander Bokovoy
Samba Team http://www.samba.org/
ALT Linux Team http://www.altlinux.org/
Midgard Project Ry http://www.midgard-project.org/
More information about the community-en