gradm_pam with ldap problem
Posted: Thu Jul 10, 2014 12:45 pm
I'm trying to set up separate admin roles for my sysadmins using grsec and I'm trying to get PAM authentication working between gradm and ldap. I know the ldap password is correct because sudo is able to authenticate properly. However, when I run gradm -p <role>, it tells me "Invalid password"
The basic process for them would be:
1. Log in as their user
2. sudo to root
3. gradm -p <admin_role>
So for user 'joe':
1. Login as 'joe'
2. sudo -H -s with the password for 'joe'
3. gradm -p joe
I have the 'joe' role configured as a special admin PAM-auth role (role joe sPA).
The grsec errors I see are:
The auth log messages I see are:
I took a look at the gradm-3.0-201405281853.tar.gz source and didn't see permissions for those objects in the gradm_pam ACLs, but I'm not sure if there is more that I need to do to make this work aside from adding ACLs for them.
--Maarten
The basic process for them would be:
1. Log in as their user
2. sudo to root
3. gradm -p <admin_role>
So for user 'joe':
1. Login as 'joe'
2. sudo -H -s with the password for 'joe'
3. gradm -p joe
I have the 'joe' role configured as a special admin PAM-auth role (role joe sPA).
The grsec errors I see are:
kernel: [3213401.646400] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied connect() to the unix domain socket /run/nscd/socket by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0
kernel: [3213401.646441] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied connect() to the unix domain socket /run/nscd/socket by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0
kernel: [3213401.647877] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/ldap.conf by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0
kernel: [3213401.648225] grsec: From ipaddr: (root:U:/sbin/gradm_pam) denied access to hidden file /etc/ldap.conf by /sbin/gradm_pam[gradm_pam:32492] uid/euid:0/0 gid/egid:0/0, parent /sbin/gradm[gradm:32491] uid/euid:0/0 gid/egid:0/0
The auth log messages I see are:
gradm_pam: pam_unix(gradm:auth): authentication failure; logname=joe uid=0 euid=0 tty= ruser= rhost= user=joe
I took a look at the gradm-3.0-201405281853.tar.gz source and didn't see permissions for those objects in the gradm_pam ACLs, but I'm not sure if there is more that I need to do to make this work aside from adding ACLs for them.
--Maarten