Changes to /etc/pam.d/gdm to use system-login instead of system-auth prevents login of clients on system. Users receive an error that logins are temporarily disabled. (There is no /etc/nologin on the system.) Corresponsing log entries: /var/log/auth.log: Aug 14 15:12:27 fairy gdm[9147]: pam_access(gdm:account): access denied for user `art' from `:0' /var/log/warn: Aug 14 15:12:27 fairy gdm[9147]: WARNING: User art not permitted to gain access at this time System uses both passwd and NIS for authentication - (nsswitch.conf set to "compat", and last line in /etc/passwd is "+:::::"). However, this is a local user -- same user able to log in through console or ssh, or su. Reverting to system-auth for pam.d/gdm restores login functionality.
Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-gentoo-r9 i686) ================================================================= System uname: 2.6.23-gentoo-r9 i686 mobile AMD Athlon(tm) XP2400+ Timestamp of tree: Wed, 13 Aug 2008 20:00:01 +0000 distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.4 [enabled] app-shells/bash: 3.2_p33 dev-lang/python: 2.5.2-r6 dev-python/pycrypto: 2.0.1-r6 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.11.1 sys-apps/sandbox: 1.2.18.1-r2 sys-devel/autoconf: 2.13, 2.61-r2 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc-config: 1.4.0-r4 sys-devel/libtool: 1.5.26 virtual/os-headers: 2.6.23-r3 ACCEPT_KEYWORDS="x86" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=athlon-4 -momit-leaf-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d" CXXFLAGS="-O2 -march=athlon-4 -momit-leaf-frame-pointer" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y" FEATURES="ccache distcc distlocks fixpackages metadata-transfer noinfo sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox" GENTOO_MIRRORS="http://gentoo.mirrors.tds.net/gentoo http://gentoo.osuosl.org/ http://gentoo.mirrors.pair.com/" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="en_GB en_US en nb_NO nb no" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="" PORTAGE_COMPRESS_FLAGS=" " PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://tree.broomstick.com/gentoo-portage" USE="3dnow X Xaw3d aac acl acpi alsa audiofile berkdb cairo caps cdr cli cracklib crypt cups dbus dri dvd dvdread eds emboss encode esd evo exif fam flac gd gdbm gif gimp gmp gnome gpm gstreamer gtk gtk2 hal iconv idn ipv6 isdnlog jpeg lcms libnotify logrotate lzo mad matroska mbox midi mikmod mmap mmx motif mp3 mpeg mudflap ncurses nfs nis nls nntp nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl pic png posix ppds pppd pulseaudio python qt3support qt4 quicktime readline reflection sdl seamonkey session sndfile spell spl sse ssl startup-notification svg sysfs tcpd threads tiff timidity tk truetype unicode usb vorbis win32codecs x86 xattr xcomposite xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LINGUAS="en_GB en_US en nb_NO nb no" USERLAND="GNU" VIDEO_CARDS="radeon" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I fear there is nothing much I can do. We provide defaults that works well with default configuration. NIS authentication isn't exactly a default setup imho. Adding flameeyes to see if he has something to say since these changes were made to take advantage of pambase.
But this is a local account, not a NIS account -- NIS authentication shouldn't come into play at all (and, indeed "login" works).
please attach the pam files you modified.
I haven't modified any pam.d files, so I am unable to comply with your request. Here's a diff between the old (working) and new (non-working) /etc/pam.d/gdm file: 3c3 < auth include system-auth --- > auth include system-login 5,6c5,9 < account include system-auth < password include system-auth --- > > account include system-login > > password include system-login > 7a11 > #Keyring=session optional pam_gnome_keyring.so auto_start fairy pam.d #
Explicitly adding the users to /etc/security/access.conf allows the login + : art : :0 + : user2 : :0 + : user3 : :0 + : user4 : :0 ... However, this doesn't seem like a good solution. :-) I could also add the users to the NIS netgroup which already have been given explicitly access (which is pretty much required for NIS): + : @loginusers : :0 ... but then there would be no login when roaming outside the network. <speculation> Is a way to explicitly grant local users access? Besides using pam.d/system-access instead of pam.d/system-login and thus bypassing pam_access.so? Like a way to call pam_access.so just for remote users? I'd think that normally, allowing login to local users would be OK -- after all, the default gentoo setup allows absolutely everyone, both remote and local, but the X server only runs locally (which you can't do when using remote X and NIS)... Just wondering whether there's a possibility to keep both defaults and those who run remote X servers and/or NIS happy here... </speculation>
hum listen your setup is a bit special and I can't setup something like this to debug the issue. As I don't want to remove the changes that were done because it benefits a lot of users I'm going to close this bug cantfix. If you can figure out something that would integrate well at the distro level, feel free to get in touch but in the mean time, you're mostly on your own, sorry.
