Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 234771 - gnome-base/gdm-2.20.7 pam.d changes prevents login of local user in NIS environment
Summary: gnome-base/gdm-2.20.7 pam.d changes prevents login of local user in NIS envir...
Status: RESOLVED CANTFIX
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] GNOME (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Linux Gnome Desktop Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2008-08-14 21:48 UTC by Arthur Hagen
Modified: 2009-01-11 22:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Arthur Hagen 2008-08-14 21:48:20 UTC
Changes to /etc/pam.d/gdm to use system-login instead of system-auth prevents login of clients on system.  Users receive an error that logins are temporarily disabled.  (There is no /etc/nologin on the system.)

Corresponsing log entries:
/var/log/auth.log:
Aug 14 15:12:27 fairy gdm[9147]: pam_access(gdm:account): access denied for user `art' from `:0'

/var/log/warn:
Aug 14 15:12:27 fairy gdm[9147]: WARNING: User art not permitted to gain access at this time 

System uses both passwd and NIS for authentication - (nsswitch.conf set to "compat", and last line in /etc/passwd is "+:::::").
However, this is a local user -- same user able to log in through console or ssh, or su.

Reverting to system-auth for pam.d/gdm restores login functionality.
Comment 1 Arthur Hagen 2008-08-14 21:49:54 UTC
Portage 2.1.4.4 (default/linux/x86/2008.0/desktop, gcc-3.4.6, glibc-2.6.1-r0, 2.6.23-gentoo-r9 i686)
=================================================================
System uname: 2.6.23-gentoo-r9 i686 mobile AMD Athlon(tm) XP2400+
Timestamp of tree: Wed, 13 Aug 2008 20:00:01 +0000
distcc 2.18.3 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.4 [enabled]
app-shells/bash:     3.2_p33
dev-lang/python:     2.5.2-r6
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.2.18.1-r2
sys-devel/autoconf:  2.13, 2.61-r2
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.1
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.0-r4
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.23-r3
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=athlon-4 -momit-leaf-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc"
CONFIG_PROTECT_MASK="/etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo /etc/udev/rules.d"
CXXFLAGS="-O2 -march=athlon-4 -momit-leaf-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--with-bdeps=y"
FEATURES="ccache distcc distlocks fixpackages metadata-transfer noinfo sandbox sfperms strict unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://gentoo.mirrors.tds.net/gentoo http://gentoo.osuosl.org/ http://gentoo.mirrors.pair.com/"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
LINGUAS="en_GB en_US en nb_NO nb no"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_COMPRESS=""
PORTAGE_COMPRESS_FLAGS=" "
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://tree.broomstick.com/gentoo-portage"
USE="3dnow X Xaw3d aac acl acpi alsa audiofile berkdb cairo caps cdr cli cracklib crypt cups dbus dri dvd dvdread eds emboss encode esd evo exif fam flac gd gdbm gif gimp gmp gnome gpm gstreamer gtk gtk2 hal iconv idn ipv6 isdnlog jpeg lcms libnotify logrotate lzo mad matroska mbox midi mikmod mmap mmx motif mp3 mpeg mudflap ncurses nfs nis nls nntp nptl nptlonly offensive ogg opengl openmp pam pcre pdf perl pic png posix ppds pppd pulseaudio python qt3support qt4 quicktime readline reflection sdl seamonkey session sndfile spell spl sse ssl startup-notification svg sysfs tcpd threads tiff timidity tk truetype unicode usb vorbis win32codecs x86 xattr xcomposite xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics" KERNEL="linux" LINGUAS="en_GB en_US en nb_NO nb no" USERLAND="GNU" VIDEO_CARDS="radeon"
Unset:  CPPFLAGS, CTARGET, INSTALL_MASK, LANG, LC_ALL, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 2 Gilles Dartiguelongue gentoo-dev 2008-08-14 22:51:02 UTC
I fear there is nothing much I can do. We provide defaults that works well with default configuration. NIS authentication isn't exactly a default setup imho.

Adding flameeyes to see if he has something to say since these changes were made to take advantage of pambase.
Comment 3 Arthur Hagen 2008-08-14 22:54:43 UTC
But this is a local account, not a NIS account -- NIS authentication shouldn't come into play at all (and, indeed "login" works).
Comment 4 Gilles Dartiguelongue gentoo-dev 2008-08-14 23:17:04 UTC
please attach the pam files you modified.
Comment 5 Arthur Hagen 2008-08-14 23:24:20 UTC
I haven't modified any pam.d files, so I am unable to comply with your request.

Here's a diff between the old (working) and new (non-working) /etc/pam.d/gdm file:

3c3
< auth       include		system-auth
---
> auth       include		system-login
5,6c5,9
< account    include		system-auth
< password   include		system-auth
---
> 
> account    include		system-login
> 
> password   include		system-login
> 
7a11
> #Keyring=session    optional		pam_gnome_keyring.so auto_start
fairy pam.d # 

Comment 6 Arthur Hagen 2008-08-14 23:53:57 UTC
Explicitly adding the users to /etc/security/access.conf allows the login

+ : art : :0
+ : user2 : :0
+ : user3 : :0
+ : user4 : :0
...

However, this doesn't seem like a good solution.  :-)

I could also add the users to the NIS netgroup which already have been given explicitly access (which is pretty much required for NIS):

+ : @loginusers : :0

... but then there would be no login when roaming outside the network.

<speculation>
Is a way to explicitly grant local users access?  Besides using pam.d/system-access instead of pam.d/system-login and thus bypassing pam_access.so?  Like a way to call pam_access.so just for remote users?  I'd think that normally, allowing login to local users would be OK -- after all, the default gentoo setup allows absolutely everyone, both remote and local, but the X server only runs locally (which you can't do when using remote X and NIS)...
Just wondering whether there's a possibility to keep both defaults and those who run remote X servers and/or NIS happy here...
</speculation>
Comment 7 Gilles Dartiguelongue gentoo-dev 2009-01-11 22:53:31 UTC
hum listen your setup is a bit special and I can't setup something like this to debug the issue. As I don't want to remove the changes that were done because it benefits a lot of users I'm going to close this bug cantfix. If you can figure out something that would integrate well at the distro level, feel free to get in touch but in the mean time, you're mostly on your own, sorry.