Granting su rights to users? Using PAM and Kerberos...

Daniel B. Thurman dant at cdkkt.com
Tue Nov 22 00:14:37 UTC 2005 

>From: fedora-list-bounces at redhat.com
>[mailto:fedora-list-bounces at redhat.com]On Behalf Of Leonard Isham
>Sent: Monday, November 21, 2005 2:18 PM
>To: For users of Fedora Core releases
>Subject: Re: Granting su rights to users? Using PAM and Kerberos...
>
>
>On 11/21/05, Daniel B. Thurman <dant at cdkkt.com> wrote:
>>
>> Hmm..  I enabled Kerberos and setup pam files to use kerberos
>> authenications, and I also added root principal (root at REALM) but
>> I am still being prevented as a normal user to use 'su'
>>
>> I have been all over google and tried to find a solution but there
>> was none to be found.  I did see for BSD that you can use the
>> kdb_edit command to add per user , root permissions but I think
>> that is for Kerberos IV only.
>>
>> I am beginning to wonder if kerberos is even worth it anymore or
>> if it is being replaced with something else like the 
>Directory Service?
>> No one seems to be talking much about kerberos in this newsgroup
>> so it seems.
>>
>> Anyway - can someone please shed some light here so that
>> I can at least su root as a normal user?
>
>Check /etc/pam.d/su
>
>--
>Leonard Isham, CISSP
>Ostendo non ostento.

Is there something I need to look for in /etc/pam.d/su?

/etc/pam.d/su
====================================================
#%PAM-1.0
auth       sufficient   /lib/security/$ISA/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth       sufficient   /lib/security/$ISA/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth       required     /lib/security/$ISA/pam_wheel.so use_uid
auth       required	/lib/security/$ISA/pam_stack.so service=system-auth
account    required	/lib/security/$ISA/pam_stack.so service=system-auth
password   required	/lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so close must be first session rule
session	   required	/lib/security/$ISA/pam_selinux.so close
session    required	/lib/security/$ISA/pam_stack.so service=system-auth
# pam_selinux.so open and pam_xauth must be last two session rules
session	   required	/lib/security/$ISA/pam_selinux.so open multiple
session    optional	/lib/security/$ISA/pam_xauth.so
====================================================

The following changes were made to /etc/pam.d/system-auth
per: http://www.ofb.net/~jheiss/krbldap/howto.html

/etc/pam.d/system-auth
====================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_krb5.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     required      /lib/security/$ISA/pam_access.so
account     [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_krb5.so
account     required      /lib/security/$ISA/pam_access.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_krb5.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_krb5.so
====================================================

Thanks,
Dan

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.1.362 / Virus Database: 267.13.4/176 - Release Date: 11/20/2005

More information about the users mailing list