I know nothing about pam!

Place to discuss Fedora and/or Red Hat
Post Reply
X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

I know nothing about pam!

Post by X11 » Thu Jun 14, 2007 10:10 am

I need to get inside pam to find out why dovecot (which authenticates with pam) is causing problems for an account. Basically the account is being told it has expired, and I have no idea how to change this. I think pam uses ldap from what the old admin has passed on to me, however his english is difficult to read.

I have worked out the console based ldap administration tools well, and I simply don't see any data that could be used to set an expiry. It might be more complicated.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Thu Jun 14, 2007 11:16 am

What's in your /etc/pam.d/dovecot file?

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 » Thu Jun 14, 2007 12:19 pm

Code: Select all


[root@pusa3 ~]# cat /etc/pam.d/dovecot
#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth


User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Thu Jun 14, 2007 2:01 pm

And what does your /etc/pam.d/system-auth file contain? It looks to me like it's just doing normal authentication against the system. Did you try resetting the user's password on the Linux server?

X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 » Fri Jun 15, 2007 1:12 am

Code: Select all


[root@pusa3 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account     [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
I'm going to man authconfig.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Jun 15, 2007 3:17 am

Looks like you have it set up to allow login to your system or applications (including dovecot) using your local UNIX system account/password OR your ldap passwd. You should be able to use either. So I would be curious if you set the user's local UNIX password (# passwd username) if they can log in. Then it's a question of setting changing their ldap password. It's very late and I have to crash but I'll dig deeper into the ldap pam module tomorrow. I've not personally used ldap for authentication directly so I would have to dig a little on the ldap module.

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Jun 15, 2007 8:22 am


X11
guru
guru
Posts: 676
Joined: Sun Jan 19, 2003 11:09 pm
Location: Australia
Contact:

Post by X11 » Fri Jun 29, 2007 8:17 pm

Currently they use "User Manager for Domains" which is some tool for Windows XP that does not like samba.

He can still login to the NT domain but for some reason according to PAM, which dovecot uses, his account has expired. Samba uses ldap for authentication.

Changing the password with passwd does not seem to help either. Dovecot tells the IMAP clients that the password is incorrect, and tells /var/log/messages the account has expired...

Code: Select all

Jun 30 12:15:00 pusa3 dovecot(pam_unix)[22296]: account master.yi has expired (account expired)

User avatar
Void Main
Site Admin
Site Admin
Posts: 5716
Joined: Wed Jan 08, 2003 5:24 am
Location: Tuxville, USA
Contact:

Post by Void Main » Fri Jun 29, 2007 9:05 pm

It looks like his local Linux accounts are set up for password expiration and this account's password has expired. Not the ldap account but the local /etc/passwd account. I would assume if you tried to log directly into the Linux box as that user you would not be allowed because his password has expired.

What does the output of this give you:

# passwd -S username

Have you tried resetting his local password?

# passwd username

You might also have to unlock the account:

# passwd -u username

If that indeed is what the problem is you would probably want to turn off password expiration since you are using ldap passwords. What does this user's entry look like in /etc/shadow? See this:

http://db.ilug-bom.org.in/Documentation ... rmats.html

and this:

http://tldp.org/HOWTO/Shadow-Password-HOWTO-7.html

Post Reply