[Dovecot] PAM auth problem
Pam auth don't work when I add pam_group:
gw# id test2 uid=10001(test2) gid=11111(adusers) groups=11111(adusers), 10000(group1), 10001(group2), 10002(test10)
gw# getent passwd test2 test2:*:10001:11111:Our AD-Unix Test Account:/home/test2:/bin/sh
gw# cat /etc/pam.d/dovecot
auth required pam_group.so group=adusers auth required pam_krb5.so debug try_first_pass
All works fine with only pam_krb5 module.
-- С уважением, Савчук Тарас ООО "Элантек" : Аутсорсинг ИТ, WEB-разработка http://www.elantech.ru +7 (495) 589 68 81 +7 (926) 575 22 11
On 28/03/2007 16:52, Taras Savchuk wrote:
Pam auth don't work when I add pam_group:
pam_group grants membership to groups, it can't be used to authenticate. Use pam_wheel or pam_succeed_if, and see http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
Cheers,
John.
In FreeBSD pam_group does exactly what I want:
NAME pam_group -- Group PAM module
SYNOPSIS [service-name] module-type control-flag pam_group [arguments]
DESCRIPTION The group service module for PAM accepts or rejects users based on their membership in a particular file group.
The following options may be passed to the pam_group module:
deny Reverse the meaning of the test, i.e., reject the applicant if and only if he or she is a member of the specified group. This can be useful to exclude certain groups of users from certain services.
fail_safe If the specified group does not exist, or has no members, act as if it does exist and the applicant is a member.
group=groupname
Specify the name of the group to check. The default is
``wheel''.
root_only Skip this module entirely if the target account is not the
superuser account.SEE ALSO pam.conf(5), pam(8)
AUTHORS The pam_group module and this manual page were developed for the FreeBSD Project by ThinkSec AS and NAI Labs, the Security Research Division of Network Associates, Inc. under DARPA/SPAWAR contract N66001-01-C-8035 (``CBOSS''), as part of the DARPA CHATS research program.
FreeBSD 6.2 February 6, 2003 FreeBSD 6.2
John Robinson пишет:
On 28/03/2007 16:52, Taras Savchuk wrote:
Pam auth don't work when I add pam_group:
pam_group grants membership to groups, it can't be used to authenticate. Use pam_wheel or pam_succeed_if, and see http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html
Cheers,
John.
-- С уважением, Савчук Тарас ООО "Элантек" : Аутсорсинг ИТ, WEB-разработка http://www.elantech.ru +7 (495) 589 68 81 +7 (926) 575 22 11
On 28/03/2007 17:32, Taras Savchuk wrote:
In FreeBSD pam_group does exactly what I want:
Oh, sorry, didn't know you were on *BSD but I suppose I shouldn't have assumed Linux. In Linux-PAM, pam_wheel's documentation is very similar to your pam_group, with the addition of an option:
use_uid The check for wheel membership will be done against the current uid instead of the original one (useful when jumping with su from one account to another for example).
It would be useful with Dovecot too, because you don't want your pam_group checking Dovecot's group membership - and this may be why it's not working for you. If you have a pam_succeed_if or equivalent, perhaps you could try that.
Cheers,
John.
participants (2)
-
John Robinson
-
Taras Savchuk