From owner-freebsd-stable@freebsd.org  Mon Nov 23 16:09:50 2015
Return-Path: <owner-freebsd-stable@freebsd.org>
Delivered-To: freebsd-stable@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id ABC9AA3644B
 for <freebsd-stable@mailman.ysv.freebsd.org>;
 Mon, 23 Nov 2015 16:09:50 +0000 (UTC) (envelope-from hausen@punkt.de)
Received: from kagate.punkt.de (kagate.punkt.de [217.29.33.131])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 3F678110C
 for <freebsd-stable@freebsd.org>; Mon, 23 Nov 2015 16:09:49 +0000 (UTC)
 (envelope-from hausen@punkt.de)
Received: from hugo10.ka.punkt.de (hugo10.ka.punkt.de [217.29.44.10])
 by gate2.intern.punkt.de with ESMTP id tANG9lrW057958
 for <freebsd-stable@freebsd.org>; Mon, 23 Nov 2015 17:09:47 +0100 (CET)
Received: from [217.29.44.250] ([217.29.44.250])
 by hugo10.ka.punkt.de (8.14.2/8.14.2) with ESMTP id tANG9lH8005500
 for <freebsd-stable@freebsd.org>; Mon, 23 Nov 2015 17:09:47 +0100 (CET)
 (envelope-from hausen@punkt.de)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 9.1 \(3096.5\))
Subject: PAM changes? (was: Re: NSS changes in releng/10.2?)
From: "Patrick M. Hausen" <hausen@punkt.de>
In-Reply-To: <07B8E386-4692-4BE0-9516-E1CA67B2934D@punkt.de>
Date: Mon, 23 Nov 2015 17:09:50 +0100
Content-Transfer-Encoding: quoted-printable
Message-Id: <191784A3-0238-4889-9307-FF413D13F659@punkt.de>
References: <07B8E386-4692-4BE0-9516-E1CA67B2934D@punkt.de>
To: freebsd-stable <freebsd-stable@freebsd.org>
X-Mailer: Apple Mail (2.3096.5)
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-stable>, 
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable/>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 23 Nov 2015 16:09:50 -0000

Hi, all,

sorry for not trying this earlier and now replying to myself, but I'm
slowly making progress isolating the problem.

> Am 23.11.2015 um 15:42 schrieb Patrick M. Hausen <hausen@punkt.de>:
>=20
> Hi, all,
>=20
> I just upgraded an older system from 8.4 to 10.2 in a single go.
> No unexpected problems, until I tried to use "su":
>=20
> 	$ su -
> 	su: Sorry
>=20
> Well, I *am* a member of the wheel group:
>=20
> 	$ id
> 	uid=3D10093(ry93) gid=3D10001(intern) =
groups=3D10001(intern),0(wheel),10002(entwickler)
>=20
> Hmmm ... we pull all this information from LDAP. My nsswitch.conf has =
always been:
>=20
> 	group: files cache ldap
> 	passwd: files cache ldap

And this part seems to be just as valid and working as before. I had the =
implicit
assumption that su(1) was using something like getgroups() to determine =
if I am
a member of "wheel" - which it doesn't. I even hacked up 5 lines of C to =
quickly
get my supplementary group list and lo and behold:

$ ./groups=20
10002
0
10001

So, it is not NSS' or LDAP's fault.


I just looked at the source for su(1) and it looks like it uses PAM to =
check if
I am authorized to su to root:

       retcode =3D pam_authenticate(pamh, 0);
        if (retcode !=3D PAM_SUCCESS) {
                syslog(LOG_AUTH|LOG_WARNING, "BAD SU %s to %s on %s",
                    username, user, mytty);
                errx(1, "Sorry");

My /etc/pam.d/system looks like this:

----------- system -----------
#
# $FreeBSD: releng/10.2/etc/pam.d/system 197769 2009-10-05 09:28:54Z des =
$
#
# System-wide defaults
#

# auth
auth		sufficient	pam_opie.so		no_warn =
no_fake_prompts
auth		requisite	pam_opieaccess.so	no_warn =
allow_local
#auth		sufficient	pam_krb5.so		no_warn =
try_first_pass
#auth		sufficient	pam_ssh.so		no_warn =
try_first_pass
auth		sufficient	/usr/local/lib/pam_ldap.so	no_warn =
try_first_pass
auth		required	pam_unix.so		no_warn =
try_first_pass nullok

# account
#account	required	pam_krb5.so
account		required	pam_login_access.so
account		required	/usr/local/lib/pam_ldap.so	=
ignore_authinfo_unavail ignore_unknown_user
account		required	pam_unix.so

# session
#session	optional	pam_ssh.so		want_agent
session		required	pam_lastlog.so		no_fail

# password
#password	sufficient	pam_krb5.so		no_warn =
try_first_pass
password	required	pam_unix.so		no_warn =
try_first_pass
----------------------

And /etc/pam.d/su like this:

----------- su -----------
#
# $FreeBSD: releng/10.2/etc/pam.d/su 219663 2011-03-15 10:13:35Z des $
#
# PAM configuration for the "su" service
#

# auth
auth		sufficient	pam_rootok.so		no_warn
auth		sufficient	pam_self.so		no_warn
auth		requisite	pam_group.so		no_warn =
group=3Dwheel root_only fail_safe ruser
auth		include		system

# account
account		include		system

# session
session		required	pam_permit.so
----------------------

Any changes that I missed on the way from 8.4 to 10.2? Unfortunately
I do not have an older 10.x system that runs with an Active Directory =
connection.
Only 8.4 ones - this one was the first to finally get updated to a =
current FreeBSD
version.

As I stated this PAM configuration works as intended on 8.4. I generated =
the
10.2 files above by running mergemaster.


Thanks,
Patrick
--=20
punkt.de GmbH * Kaiserallee 13a * 76133 Karlsruhe
Tel. 0721 9109 0 * Fax 0721 9109 100
info@punkt.de       http://www.punkt.de
Gf: J=C3=BCrgen Egeling      AG Mannheim 108285