| 1 |
Hi. |
| 2 |
|
| 3 |
When I used PAM with LDAP, I experienced the same problems sometimes. |
| 4 |
Do you use additionnal PAM modules? |
| 5 |
For instance, what is your /etc/nss.conf file ? (I mean, the nss |
| 6 |
configuration file, but I am not sure of the name) |
| 7 |
|
| 8 |
An other point would be the login configuration. For instance, with |
| 9 |
pamldap,I configured NFS based home directory ... |
| 10 |
|
| 11 |
Julien Thomas. |
| 12 |
|
| 13 |
आशीष शुक्ल Ashish Shukla <wahjava.ml@×××××.com> a écrit : |
| 14 |
|
| 15 |
> Hi list, |
| 16 |
> |
| 17 |
> When I try to login to my Gentoo installation |
| 18 |
> (hardened/selinux/amd64/no-multilib) at TTY, after entering |
| 19 |
> username and password it takes a long time to show prompt. I track |
| 20 |
> down this problem to the some DNS resolution |
| 21 |
> taking place at startup. i.e. when my default gateway is connected to |
| 22 |
> internet, I can log-in normally, |
| 23 |
> but when I'm not connected, I experience this issue. I was also |
| 24 |
> getting few days back a selinux denial for |
| 25 |
> 'locallogin_t', so with the help of Chris PeBenito, I fixed that issue |
| 26 |
> by adding following rule to my local |
| 27 |
> SELinux policy: |
| 28 |
> |
| 29 |
> ----8<----8<---- |
| 30 |
> auth_use_nsswitch(local_login_t) |
| 31 |
> ---->8---->8---- |
| 32 |
> |
| 33 |
> I'm not able to figure out why it needs to do DNS resolution at login. |
| 34 |
> Following are my related pam configuration |
| 35 |
> files: |
| 36 |
> |
| 37 |
> ----8<----8<---- |
| 38 |
> abbe@chatteau ~ $ cat /etc/pam.d/system-auth |
| 39 |
> #%PAM-1.0 |
| 40 |
> |
| 41 |
> auth required pam_env.so |
| 42 |
> auth sufficient pam_unix.so try_first_pass likeauth nullok |
| 43 |
> auth required pam_deny.so |
| 44 |
> |
| 45 |
> account required pam_unix.so |
| 46 |
> |
| 47 |
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2 |
| 48 |
> ocredit=2 try_first_pass retry=3 |
| 49 |
> password sufficient pam_unix.so try_first_pass use_authtok |
| 50 |
> nullok md5 shadow |
| 51 |
> password required pam_deny.so |
| 52 |
> |
| 53 |
> session required pam_limits.so |
| 54 |
> session required pam_unix.so |
| 55 |
> abbe@chatteau ~ $ cat /etc/pam.d/login |
| 56 |
> #%PAM-1.0 |
| 57 |
> |
| 58 |
> auth required pam_securetty.so |
| 59 |
> auth required pam_tally.so file=/var/log/faillog |
| 60 |
> onerr=succeed no_magic_root |
| 61 |
> auth required pam_shells.so |
| 62 |
> auth required pam_nologin.so |
| 63 |
> auth include system-auth |
| 64 |
> |
| 65 |
> account required pam_access.so |
| 66 |
> account include system-auth |
| 67 |
> account required pam_tally.so deny=0 file=/var/log/faillog |
| 68 |
> onerr=succeed no_magic_root |
| 69 |
> |
| 70 |
> password include system-auth |
| 71 |
> |
| 72 |
> # pam_selinux.so close should be the first session rule |
| 73 |
> session required pam_selinux.so close |
| 74 |
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 |
| 75 |
> session required pam_env.so |
| 76 |
> session optional pam_lastlog.so |
| 77 |
> session optional pam_motd.so motd=/etc/motd |
| 78 |
> session optional pam_mail.so |
| 79 |
> |
| 80 |
> # If you want to enable pam_console, uncomment the following line |
| 81 |
> # and read carefully README.pam_console in /usr/share/doc/pam* |
| 82 |
> #session optional pam_console.so |
| 83 |
> |
| 84 |
> session include system-auth |
| 85 |
> |
| 86 |
> # pam_selinux.so open should be the last session rule |
| 87 |
> session required pam_selinux.so multiple open |
| 88 |
> |
| 89 |
> abbe@chatteau ~ $ getent hosts `hostname` |
| 90 |
> ::1 localhost chatteau.d.lf chatteau localhost.localdomain |
| 91 |
> abbe@chatteau ~ $ getent hosts 127.0.0.1 |
| 92 |
> 127.0.0.1 localhost chatteau.d.lf chatteau localhost.localdomain |
| 93 |
> ---->8---->8---- |
| 94 |
> |
| 95 |
> The long delay is only experienced when user is successfully |
| 96 |
> authenticated. So I think its somewhere |
| 97 |
> in 'session' phase of PAM, though I'm not sure on this. |
| 98 |
> |
| 99 |
> Any idea what would be wrong here ? |
| 100 |
> |
| 101 |
> TIA |
| 102 |
> -- |
| 103 |
> Ashish Shukla आशीष शुक्ल http://wahjava.wordpress.com/ |
| 104 |
> ·-- ·- ···· ·--- ·- ···- ·- ·--·-· --· -- ·- ·· ·-·· ·-·-·- -·-· --- -- |
| 105 |
> �����(���u��w����(�����x% |
| 106 |
> |
| 107 |
|
| 108 |
|
| 109 |
|
| 110 |
-- |
| 111 |
gentoo-hardened@g.o mailing list |
Archives