Showing results for 
Search instead for 
Did you mean: 

PAM ntml/unix/updbe issues

Occasional Advisor

PAM ntml/unix/updbe issues


I am trying to configure login authentication with the following aim:
All users to be authenticated by NT only, except root (or mmroot) who is to be authenticated by UNIX only.

The authentication of users by NT is woorking with no probs, but I cannot seem to get the exception for root working. The relevant lines from /etc/pam.conf are:
# Authentication management
login auth required /usr/lib/security/libpam_updbe.1
login auth required /usr/lib/security/libpam_ntlm.1 debug

The relevant lines from /etc/pam_user.conf are:
root auth /usr/lib/security/libpam_unix.1 debug
mmroot auth /usr/lib/security/libpam_unix.1 debug

The login prompt dies with the following message for root:
Login cannot retrieve the details of the user root, exiting.
Connection closed.

And for mmroot it is just login incorrect:
Login incorrect

The relevant syslog entries are:
Feb 7 10:11:00 caews90 rlogind[13814]: Login failure (exit(1) from login(1))
Feb 7 05:11:17 caews90 login: pam_ntlm: Incorrect NT password for username : mmroot

Am I missing something obvious here or is this not possible, the man pages suggest it is.

mmroot is a NIS account with UID 0. NSS is looking at files then NIS. /etc/passwd has magic cookie at the end. OS is 11.11 patched with latest from CPM in Jan 01.
Occasional Advisor

Re: PAM ntml/unix/updbe issues

After all that it seems to be possible.

The pam_user.conf file is only for specifying different options for modules, not completely different modules.

From the manual:
"Individual users can be assigned different options by listing them in the user control file /etc/pam_user.conf. For a login-name listed here, the options listed here replace any options specified for the module-type/module-path in /etc/pam.conf."

Nice idea though ...
Occasional Advisor

Re: PAM ntml/unix/updbe issues


it seems to be NOT possible.
Trusted Contributor

Re: PAM ntml/unix/updbe issues


My brain is still a little foggy this morning as I have yet to have my Mt. Dew, but I think the problem is that you are using 2 "required"s in the pam.conf file. I think it is passing for root at the UNIX level, but then failing at the NT level since root isn't set-up on NT. If you use required, all modules must be passed. Try changing the first entry to sufficient and see if root then works. (see man pam.conf for more info).

- Chris
Occasional Advisor

Re: PAM ntml/unix/updbe issues

Hi Chris, thanks for the reply but I think I've tried every single combination of required/sufficient/optional as well as various stacking orders. That's why I've come to the conclusion that you can only change the options to the modules and not the modules per user as such.

The problem is I do not what root to be presented to NT and I do not want ordinary users presented to UNIX.

We've decide to go with NT only and use Single User for root (as we have root equiv acounts anyway).

Re: PAM ntml/unix/updbe issues

Just browsing and saw this question. For the record, this is how I handled the same dilemma. pam.conf has the following:

login auth sufficient /usr/lib/security/libpam_unix.1
login auth required /usr/lib/security/libpam_ntlm.1 try_first_pass

This forces unix passwords to be tried first, if fail then try same password on nt. Therefore root authenticates immediately with the unix password. For other users I create their unix account but I don't tell them the password and they just pass thru to ntlm. The main problem with this is the 8 char usename limit. fixes association but with trusted hpux I can't get longer usernames.