HPE Community
Operating System - HP-UX
1832861 Members
2654 Online
110048 Solutions
New Discussion

Re: LDAP-UX PAM authentication/authorization...

 
SOLVED
Go to solution
Steve Hinchman
Advisor

‎02-02-2006 07:22 AM

‎02-02-2006 07:22 AM

LDAP-UX PAM authentication/authorization...

We are researching and testing the use of LDAP-UX with PAM/Kerberos to perform UNIX user account management with MS Active Directory.

We have succeeded in installing all the current products necessary and are able to "authenticate" UNIX users from AD.

Problem: unable to "authorize" UNIX users correctly.

We have the following as the first entry in the account management section of /etc/pam.conf:
login auth required /usr/lib/security/libpam_authz.1 debug

We also have the following entry in /etc/opt/ldapux/pam_authz.policy:
deny:unix_user:xxxxxxxx

I expected user "xxxxxxxx" to be denied access to the system BUT the user was granted access and provided a command prompt.

The debug.log shows the following:
Jan 20 15:57:48 sysname login: PAM_AUTHZ Entering pam_sm_authenticate ...
Jan 20 15:57:48 sysname login: PAM_AUTHZ pam_sm_authenticate(login, xxxxxxxx), flags = 0
Jan 20 15:57:48 sysname login: PAM_AUTHZ Entering check_authorization() ...
Jan 20 15:57:48 sysname login: PAM_AUTHZ pam_sm_authenticate returns (0)!
Jan 20 15:57:55 s1x011 login: PAM_AUTHZ Entering pam_sm_setcred ...

It appears to me that the authorization function does not work correctly. Can anyone tell me why the PAM "authorization" function is allowing access when it should be denying it?
0 Kudos
Reply
10 REPLIES 10
Steven E. Protter
Exalted Contributor

‎02-02-2006 07:32 AM

‎02-02-2006 07:32 AM

Re: LDAP-UX PAM authentication/authorization...

Shalom,

Can you tell me if there is anything in the /var/adm/syslog/syslog file when this happens.

This may be due to patching issues on the Windows or HP side. Is the AD server 2000 or 2003. Server 2003 requires a patch to work with Unix servers that use Kerebos 4 instead of 5.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
0 Kudos
Reply
Steve Hinchman
Advisor

‎02-02-2006 08:58 AM

‎02-02-2006 08:58 AM

Re: LDAP-UX PAM authentication/authorization...

We are using the following Kerberos products on the HP test server:
# swlist -l fileset | grep -i kerberos
# KRB-Support B.11.11 Kerberos Support for HP-UX and DCE
# KRB5-Client B.11.11 Kerberos V5 Client Version 1.0
# KRBS-Support B.11.11.13 Kerberos Support v1.11
KRBS-Support.KRBS-SUPP-MAN B.11.11.13 Kerberos Support Man Pages
KRBS-Support.KRBS-SUPP-NOTE B.11.11.13 Kerberos Support Release Notes
KRBS-Support.KRBS-SUPP-RUN B.11.11.13 Kerberos Support Runtime
# PAM-Kerberos B.11.11.13 PAM-Kerberos Version 1.11
PAM-Kerberos.PAM-KRB-DEMO B.11.11.13 PAM-Kerberos Demonstration
PAM-Kerberos.PAM-KRB-MAN B.11.11.13 PAM-Kerberos Man Pages
PAM-Kerberos.PAM-KRB-RUN B.11.11.13 PAM-Kerberos Runtime
PAM-Kerberos.PAM-KRB-SHLIB B.11.11.13 PAM-Kerberos Shared Library
# krb5client C.1.3.5.03 Kerberos V5 Client Version 1.3.5.03

and AD is running on Windows Server 2003.

I got the following entries in syslog.log:

Feb 2 16:52:04 xxxxxx inetd[17541]: telnet/tcp: Connection from yyyyyy (xxx.xxx
.xx.xxx) at Thu Feb 2 16:52:04 2006
Feb 2 16:52:04 xxxxxx telnetd[17541]: allowed connection from yyyyyy
Feb 2 16:52:14 xxxxxx login: [Authentication failed] Password not valid
Feb 2 16:52:14 xxxxxx login: user2netname: unknown nameservice ^I^I^I^I^Ifor pu
blickey info 'ldap'
Feb 2 16:52:14 xxxxxx login: Pam Creds are not available
Feb 2 16:52:15 xxxxxx sudo: uuuuuuu : TTY=pts/ta ; PWD=/home/uuuuuu ; USER=ro
ot ; COMMAND=/usr/local/bin/mypwexpiration

Even though a "password not valid" message appears in the syslog, I am still allowed access to the system. ???


0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎02-02-2006 09:26 AM

‎02-02-2006 09:26 AM

Solution

Re: LDAP-UX PAM authentication/authorization...

Steve,
You should use pam_authz in the account managment section of pam.conf, not authentication:

login account required /usr/lib/security/libpam_authz.1
login account sufficient /usr/lib/security/libpam_unix.1
login account required /usr/lib/security/libpam_ldap.1

if that doesn't fix it add debug to the pam_authz line and take a look at syslog.log

Cheers,
Doug
Reply
Steve Hinchman
Advisor

‎02-03-2006 02:55 AM

‎02-03-2006 02:55 AM

Re: LDAP-UX PAM authentication/authorization...

Steven and Doug,

Thanks for your help. PAM authorization and authentication now works. Now we are off to working through the rest of the issues of maintaining UNIX user accounts in AD.

Regards,
Steve Hinchman
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎02-03-2006 03:29 AM

‎02-03-2006 03:29 AM

Re: LDAP-UX PAM authentication/authorization...

Steve,

Could you tell us whether you're running these systems trusted or not?

Thanks,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Steve Hinchman
Advisor

‎02-03-2006 03:35 AM

‎02-03-2006 03:35 AM

Re: LDAP-UX PAM authentication/authorization...

Jeff,

Yes, we are running them "trusted".

Steve
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎02-03-2006 03:48 AM

‎02-03-2006 03:48 AM

Re: LDAP-UX PAM authentication/authorization...

OK - thanks.
One more question if you don't mind.
Have you tested PW expiration yet?
How about SSH with public keys as well?
We are having "issues" with the combination of these two.
We're finding if one's PW is expired AND they are using SSH keys - they still get in.
Sorry to jump into your thread, but we're looking for others that are "in this boat" as well.

Rgds,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Doug Lamoureux_2
Valued Contributor

‎02-03-2006 04:05 AM

‎02-03-2006 04:05 AM

Re: LDAP-UX PAM authentication/authorization...

Jeff,
If your using Netscape/Redhat or SunOne Directory Server this whitepaper should help:
http://www.docs.hp.com/en/6965/pam_authz_for_policy_wp_2_3.pdf

Cheers,
Doug
0 Kudos
Reply
Jeff Schussele
Honored Contributor

‎02-03-2006 04:09 AM

‎02-03-2006 04:09 AM

Re: LDAP-UX PAM authentication/authorization...

Thanks Doug.
Yes we already have that paper and are indeed using pam_authz.
Still trouble.
Oh well, we'll keep plugging at it.

Again Thanks,
Jeff
PERSEVERANCE -- Remember, whatever does not kill you only makes you stronger!
0 Kudos
Reply
Steve Hinchman
Advisor

‎02-03-2006 05:50 AM

‎02-03-2006 05:50 AM

Re: LDAP-UX PAM authentication/authorization...

Jeff,

Sorry, we haven't gotten that far yet, but I am putting it on my test case list. I will let you know what are results are.

Regards,
Steve
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.