[Comm-en] PAM with ALT Linux

Alexander Bokovoy ab at altlinux.org
Fri Nov 9 22:07:52 MSK 2007

Dmitry V. Levin пишет:
> Hi,
> On Fri, Nov 09, 2007 at 02:56:02PM +0100, Daniel Rocher wrote:
>> I'm a developer and I have a problem with ALT Linux and PAM 
>> (authentification).
>> My program use PAM. this is PAM configuration file:
>> auth            required        pam_unix.so nullok
>> auth            required        pam_listfile.so 
>> file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
>> account         required        pam_unix.so
>> session         required        pam_unix.so
>> password        required        pam_unix.so
>> It work very well with: Ubuntu, Mandriva, Fedora Core 6, Open Suse 10.2 ...
>> And I don't understand why not with Alt Linux (installed with 
>> lite-cd-20071106.iso) ?
>> Have you an idee ?
> Could you provide more details how it doesn't work, please?
> Where it fails, how it fails, credentials of process which fails,
> log message (in /var/log/auth/all) if any, etc.
Shouldn't it be related to TCB? This PAM config completely ignores the
fact that auth info in default ALT Linux installation is done through
TCB, therefore pam_tcb should be used instead of pam_unix. Below is our
system-auth-local which is included by default by other services:

auth     required       pam_tcb.so shadow fork prefix=$2a$ count=8 nullok
account  required       pam_tcb.so shadow fork
password required       pam_passwdqc.so min=disabled,24,12,8,7 max=40 
passphrase=3 match=4 similar=deny random=42 enforce=users retry=3
password required       pam_tcb.so use_authtok shadow fork prefix=$2a$ 
count=8 nullok write_to=tcb
session  required       pam_tcb.so
session  required       pam_mktemp.so
session  required       pam_limits.so

Daniel, you'd probably need to supply an ALTLinux-customized PAM config 
for your application made along these lines. Better, use the following 
(not tested):

auth     include        system-auth
auth     required       pam_listfile.so 
file=/etc/qtsmbstatusd/qtsmbstatusd.users onerr=fail sense=allow item=user
account  include        system-auth
password include        system-auth
session  include        system-auth

It relies on the fact that we have system-wide 'system-auth' PAM config 
which does common magic (like system-auth-local above).
/ Alexander Bokovoy
Samba Team                      http://www.samba.org/
ALT Linux Team                  http://www.altlinux.org/
Midgard Project Ry              http://www.midgard-project.org/

More information about the community-en mailing list