[sudo-workers] pam.c version 1.42 vs 1.43

Aaron Spangler aaron777 at gmail.com
Sat Oct 23 20:59:33 EDT 2004

Oops - previous message did not come through.  Trying again....

If you have pam_ldap listed in your /etc/ldap.conf then maybe this is
your problem:

It sounds like your pam.conf file first list pam_unix and then second
lists pam_ldap.  This is normal.  What is happening is that pam_unix
is not returning PAM_SUCCESS (because it is the wrong password).  Then
pam calls pam_ldap which returns PAM_USER_UNKNOWN (because the user
you are testing is not in ldap, it is only in /etc/passwd & shadow). 
Pam then returns the most recent error message which was
(PAM_USER_UNKNOWN) and then sudo reports that error message instead.

Try adding 'ignore_unknown_user' to the last line that is part of the
'sudo auth' or 'other auth' stanza in the /etc/pam.conf.  If the last
module tested is pam_ldap, then add it to pam_ldap.

Example fragment of /etc/pam.conf
other auth sufficient libpam_unix.sl
other auth required libpam_ldap.sl ignore_unknown_user

This tells pam_ldap to return PAM_IGNORE instead of PAM_USER_UNKNOWN. 
Them pam will not discard the error message from pam_unix and you will
get a more relevant error message.

This may or may not help your problem.  I only have limited
information about your environment.  Hope this all helps.  Please let
me know if it does.


On Fri, 22 Oct 2004 10:37:59 -0700, Tom Lieuallen <toml at engr.orst.edu> wrote:
> I found in the sudo-workers archive a note about 'ldap and password'
> dated Fri Aug 20 09:16:53 MDT 2004.
> I am running HP-UX 11.11 (11i) with LDAP and shadow passwords.  With the
> pam.c released with sudo-1.6.8p1 (pam.c 1.43), I had problems.  When I
> reverted to 1.42, it works as expected.
> Specifically, when I ran sudo with pam.c 1.43, it would accept a correct
> password fine.  However, if I gave it a bad password, it reports the
> following and exits the program.  No further password attempts.
>   sudo: pam_authenticate: No account present for user
> And even worse, I don't get insulted. :-)
> It seems that 1.43 needs some more work.
> Thank you
> Tom Lieuallen
> Oregon State University
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-workers

More information about the sudo-workers mailing list