topic Re: LDAP-UX PAM authentication/authorization... in Operating System - HP-UX

LDAP-UX PAM authentication/authorization...

Steve Hinchman — Thu, 02 Feb 2006 15:22:14 GMT

We are researching and testing the use of LDAP-UX with PAM/Kerberos to perform UNIX user account management with MS Active Directory.

We have succeeded in installing all the current products necessary and are able to "authenticate" UNIX users from AD.

Problem: unable to "authorize" UNIX users correctly.

We have the following as the first entry in the account management section of /etc/pam.conf:
login auth required /usr/lib/security/libpam_authz.1 debug

We also have the following entry in /etc/opt/ldapux/pam_authz.policy:
deny:unix_user:xxxxxxxx

I expected user "xxxxxxxx" to be denied access to the system BUT the user was granted access and provided a command prompt.

The debug.log shows the following:
Jan 20 15:57:48 sysname login: PAM_AUTHZ Entering pam_sm_authenticate ...
Jan 20 15:57:48 sysname login: PAM_AUTHZ pam_sm_authenticate(login, xxxxxxxx), flags = 0
Jan 20 15:57:48 sysname login: PAM_AUTHZ Entering check_authorization() ...
Jan 20 15:57:48 sysname login: PAM_AUTHZ pam_sm_authenticate returns (0)!
Jan 20 15:57:55 s1x011 login: PAM_AUTHZ Entering pam_sm_setcred ...

It appears to me that the authorization function does not work correctly. Can anyone tell me why the PAM "authorization" function is allowing access when it should be denying it?

Re: LDAP-UX PAM authentication/authorization...

Steven E. Protter — Thu, 02 Feb 2006 15:32:55 GMT

Shalom,

Can you tell me if there is anything in the /var/adm/syslog/syslog file when this happens.

This may be due to patching issues on the Windows or HP side. Is the AD server 2000 or 2003. Server 2003 requires a patch to work with Unix servers that use Kerebos 4 instead of 5.

SEP

Re: LDAP-UX PAM authentication/authorization...

Steve Hinchman — Thu, 02 Feb 2006 16:58:47 GMT

We are using the following Kerberos products on the HP test server:
# swlist -l fileset | grep -i kerberos
# KRB-Support B.11.11 Kerberos Support for HP-UX and DCE
# KRB5-Client B.11.11 Kerberos V5 Client Version 1.0
# KRBS-Support B.11.11.13 Kerberos Support v1.11
KRBS-Support.KRBS-SUPP-MAN B.11.11.13 Kerberos Support Man Pages
KRBS-Support.KRBS-SUPP-NOTE B.11.11.13 Kerberos Support Release Notes
KRBS-Support.KRBS-SUPP-RUN B.11.11.13 Kerberos Support Runtime
# PAM-Kerberos B.11.11.13 PAM-Kerberos Version 1.11
PAM-Kerberos.PAM-KRB-DEMO B.11.11.13 PAM-Kerberos Demonstration
PAM-Kerberos.PAM-KRB-MAN B.11.11.13 PAM-Kerberos Man Pages
PAM-Kerberos.PAM-KRB-RUN B.11.11.13 PAM-Kerberos Runtime
PAM-Kerberos.PAM-KRB-SHLIB B.11.11.13 PAM-Kerberos Shared Library
# krb5client C.1.3.5.03 Kerberos V5 Client Version 1.3.5.03

and AD is running on Windows Server 2003.

I got the following entries in syslog.log:

Feb 2 16:52:04 xxxxxx inetd[17541]: telnet/tcp: Connection from yyyyyy (xxx.xxx
.xx.xxx) at Thu Feb 2 16:52:04 2006
Feb 2 16:52:04 xxxxxx telnetd[17541]: allowed connection from yyyyyy
Feb 2 16:52:14 xxxxxx login: [Authentication failed] Password not valid
Feb 2 16:52:14 xxxxxx login: user2netname: unknown nameservice ^I^I^I^I^Ifor pu
blickey info 'ldap'
Feb 2 16:52:14 xxxxxx login: Pam Creds are not available
Feb 2 16:52:15 xxxxxx sudo: uuuuuuu : TTY=pts/ta ; PWD=/home/uuuuuu ; USER=ro
ot ; COMMAND=/usr/local/bin/mypwexpiration

Even though a "password not valid" message appears in the syslog, I am still allowed access to the system. ???

Re: LDAP-UX PAM authentication/authorization...

Doug Lamoureux_2 — Thu, 02 Feb 2006 17:26:48 GMT

Steve,
You should use pam_authz in the account managment section of pam.conf, not authentication:

login account required /usr/lib/security/libpam_authz.1
login account sufficient /usr/lib/security/libpam_unix.1
login account required /usr/lib/security/libpam_ldap.1

if that doesn't fix it add debug to the pam_authz line and take a look at syslog.log

Cheers,
Doug

Re: LDAP-UX PAM authentication/authorization...

Steve Hinchman — Fri, 03 Feb 2006 10:55:35 GMT

Steven and Doug,

Thanks for your help. PAM authorization and authentication now works. Now we are off to working through the rest of the issues of maintaining UNIX user accounts in AD.

Regards,
Steve Hinchman

Re: LDAP-UX PAM authentication/authorization...

Jeff Schussele — Fri, 03 Feb 2006 11:29:36 GMT

Steve,

Could you tell us whether you're running these systems trusted or not?

Thanks,
Jeff

Re: LDAP-UX PAM authentication/authorization...

Steve Hinchman — Fri, 03 Feb 2006 11:35:15 GMT

Jeff,

Yes, we are running them "trusted".

Steve

Re: LDAP-UX PAM authentication/authorization...

Jeff Schussele — Fri, 03 Feb 2006 11:48:05 GMT

OK - thanks.
One more question if you don't mind.
Have you tested PW expiration yet?
How about SSH with public keys as well?
We are having "issues" with the combination of these two.
We're finding if one's PW is expired AND they are using SSH keys - they still get in.
Sorry to jump into your thread, but we're looking for others that are "in this boat" as well.

Rgds,
Jeff

Re: LDAP-UX PAM authentication/authorization...

Doug Lamoureux_2 — Fri, 03 Feb 2006 12:05:33 GMT

Jeff,
If your using Netscape/Redhat or SunOne Directory Server this whitepaper should help:
http://www.docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf

Cheers,
Doug

Re: LDAP-UX PAM authentication/authorization...

Jeff Schussele — Fri, 03 Feb 2006 12:09:40 GMT

Thanks Doug.
Yes we already have that paper and are indeed using pam_authz.
Still trouble.
Oh well, we'll keep plugging at it.

Again Thanks,
Jeff

Re: LDAP-UX PAM authentication/authorization...

Steve Hinchman — Fri, 03 Feb 2006 13:50:03 GMT

Jeff,

Sorry, we haven't gotten that far yet, but I am putting it on my test case list. I will let you know what are results are.

Regards,
Steve