[sudo-workers] pam.c version 1.42 vs 1.43
aaron777 at gmail.com
Sat Oct 23 20:59:33 EDT 2004
Oops - previous message did not come through. Trying again....
If you have pam_ldap listed in your /etc/ldap.conf then maybe this is
It sounds like your pam.conf file first list pam_unix and then second
lists pam_ldap. This is normal. What is happening is that pam_unix
is not returning PAM_SUCCESS (because it is the wrong password). Then
pam calls pam_ldap which returns PAM_USER_UNKNOWN (because the user
you are testing is not in ldap, it is only in /etc/passwd & shadow).
Pam then returns the most recent error message which was
(PAM_USER_UNKNOWN) and then sudo reports that error message instead.
Try adding 'ignore_unknown_user' to the last line that is part of the
'sudo auth' or 'other auth' stanza in the /etc/pam.conf. If the last
module tested is pam_ldap, then add it to pam_ldap.
Example fragment of /etc/pam.conf
other auth sufficient libpam_unix.sl
other auth required libpam_ldap.sl ignore_unknown_user
This tells pam_ldap to return PAM_IGNORE instead of PAM_USER_UNKNOWN.
Them pam will not discard the error message from pam_unix and you will
get a more relevant error message.
This may or may not help your problem. I only have limited
information about your environment. Hope this all helps. Please let
me know if it does.
On Fri, 22 Oct 2004 10:37:59 -0700, Tom Lieuallen <toml at engr.orst.edu> wrote:
> I found in the sudo-workers archive a note about 'ldap and password'
> dated Fri Aug 20 09:16:53 MDT 2004.
> I am running HP-UX 11.11 (11i) with LDAP and shadow passwords. With the
> pam.c released with sudo-1.6.8p1 (pam.c 1.43), I had problems. When I
> reverted to 1.42, it works as expected.
> Specifically, when I ran sudo with pam.c 1.43, it would accept a correct
> password fine. However, if I gave it a bad password, it reports the
> following and exits the program. No further password attempts.
> sudo: pam_authenticate: No account present for user
> And even worse, I don't get insulted. :-)
> It seems that 1.43 needs some more work.
> Thank you
> Tom Lieuallen
> Oregon State University
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-workers