1 |
Hi. |
2 |
|
3 |
When I used PAM with LDAP, I experienced the same problems sometimes. |
4 |
Do you use additionnal PAM modules? |
5 |
For instance, what is your /etc/nss.conf file ? (I mean, the nss |
6 |
configuration file, but I am not sure of the name) |
7 |
|
8 |
An other point would be the login configuration. For instance, with |
9 |
pamldap,I configured NFS based home directory ... |
10 |
|
11 |
Julien Thomas. |
12 |
|
13 |
आशीष शुक्ल Ashish Shukla <wahjava.ml@×××××.com> a écrit : |
14 |
|
15 |
> Hi list, |
16 |
> |
17 |
> When I try to login to my Gentoo installation |
18 |
> (hardened/selinux/amd64/no-multilib) at TTY, after entering |
19 |
> username and password it takes a long time to show prompt. I track |
20 |
> down this problem to the some DNS resolution |
21 |
> taking place at startup. i.e. when my default gateway is connected to |
22 |
> internet, I can log-in normally, |
23 |
> but when I'm not connected, I experience this issue. I was also |
24 |
> getting few days back a selinux denial for |
25 |
> 'locallogin_t', so with the help of Chris PeBenito, I fixed that issue |
26 |
> by adding following rule to my local |
27 |
> SELinux policy: |
28 |
> |
29 |
> ----8<----8<---- |
30 |
> auth_use_nsswitch(local_login_t) |
31 |
> ---->8---->8---- |
32 |
> |
33 |
> I'm not able to figure out why it needs to do DNS resolution at login. |
34 |
> Following are my related pam configuration |
35 |
> files: |
36 |
> |
37 |
> ----8<----8<---- |
38 |
> abbe@chatteau ~ $ cat /etc/pam.d/system-auth |
39 |
> #%PAM-1.0 |
40 |
> |
41 |
> auth required pam_env.so |
42 |
> auth sufficient pam_unix.so try_first_pass likeauth nullok |
43 |
> auth required pam_deny.so |
44 |
> |
45 |
> account required pam_unix.so |
46 |
> |
47 |
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
48 |
> ocredit=2 try_first_pass retry=3 |
49 |
> password sufficient pam_unix.so try_first_pass use_authtok |
50 |
> nullok md5 shadow |
51 |
> password required pam_deny.so |
52 |
> |
53 |
> session required pam_limits.so |
54 |
> session required pam_unix.so |
55 |
> abbe@chatteau ~ $ cat /etc/pam.d/login |
56 |
> #%PAM-1.0 |
57 |
> |
58 |
> auth required pam_securetty.so |
59 |
> auth required pam_tally.so file=/var/log/faillog |
60 |
> onerr=succeed no_magic_root |
61 |
> auth required pam_shells.so |
62 |
> auth required pam_nologin.so |
63 |
> auth include system-auth |
64 |
> |
65 |
> account required pam_access.so |
66 |
> account include system-auth |
67 |
> account required pam_tally.so deny=0 file=/var/log/faillog |
68 |
> onerr=succeed no_magic_root |
69 |
> |
70 |
> password include system-auth |
71 |
> |
72 |
> # pam_selinux.so close should be the first session rule |
73 |
> session required pam_selinux.so close |
74 |
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
75 |
> session required pam_env.so |
76 |
> session optional pam_lastlog.so |
77 |
> session optional pam_motd.so motd=/etc/motd |
78 |
> session optional pam_mail.so |
79 |
> |
80 |
> # If you want to enable pam_console, uncomment the following line |
81 |
> # and read carefully README.pam_console in /usr/share/doc/pam* |
82 |
> #session optional pam_console.so |
83 |
> |
84 |
> session include system-auth |
85 |
> |
86 |
> # pam_selinux.so open should be the last session rule |
87 |
> session required pam_selinux.so multiple open |
88 |
> |
89 |
> abbe@chatteau ~ $ getent hosts `hostname` |
90 |
> ::1 localhost chatteau.d.lf chatteau localhost.localdomain |
91 |
> abbe@chatteau ~ $ getent hosts 127.0.0.1 |
92 |
> 127.0.0.1 localhost chatteau.d.lf chatteau localhost.localdomain |
93 |
> ---->8---->8---- |
94 |
> |
95 |
> The long delay is only experienced when user is successfully |
96 |
> authenticated. So I think its somewhere |
97 |
> in 'session' phase of PAM, though I'm not sure on this. |
98 |
> |
99 |
> Any idea what would be wrong here ? |
100 |
> |
101 |
> TIA |
102 |
> -- |
103 |
> Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ |
104 |
> ·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- |
105 |
> ����(��u��w���(�����x% |
106 |
> |
107 |
|
108 |
|
109 |
|
110 |
-- |
111 |
gentoo-hardened@g.o mailing list |