Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 11:36
    yaleman review_requested #904
  • 11:36
    yaleman labeled #904
  • 11:36
    yaleman opened #904
  • 11:29

    yaleman on kanidm_cli_docker

    bump (compare)

  • 11:16

    yaleman on kanidm_cli_docker

    updated (compare)

  • 11:10

    yaleman on kanidm_cli_docker

    fixing up dockerfiles (compare)

  • 10:31

    yaleman on kanidm_cli_docker

    updated Added KANIDM_BUILD_PROFILE to k… (compare)

  • 10:28

    yaleman on kanidm_cli_docker

    adding kanidm image and config updated removing npm deps from build an… and 5 more (compare)

  • 08:20

    github-actions[bot] on gh-pages

    deploy: 4830479bd51d88ac40fb514… (compare)

  • 07:46

    github-actions[bot] on gh-pages

    deploy: dd973eb0ec0fa70268806bf… (compare)

  • 07:45

    yaleman on pip

    (compare)

  • 07:45

    yaleman on master

    Bump mkdocs-material from 8.3.8… (compare)

  • 07:45
    yaleman closed #901
  • 07:44

    yaleman on cargo

    (compare)

  • 07:44

    yaleman on master

    Bump tide-compress from 0.10.3 … (compare)

  • 07:44
    yaleman closed #902
  • 07:40

    dependabot[bot] on github_actions

    (compare)

  • 07:40

    yaleman on master

    Bump actions/setup-python from … (compare)

  • 07:40
    yaleman closed #900
  • 07:34

    dependabot[bot] on github_actions

    (compare)

Firstyear
@Firstyear
Right
Okay, so the next steps would be

systemctl edit kanidm-unix.service

[Service]
Environment="RUST_LOG=kanidm=debug"

in pam, on lines with pam_kanidm.so, add the option debug

Then restart kanidm-unixd, and try su again.
Youll have more info in journalctl, and it prints more to the TTY from the pam module.
But after that I'll need to see your /etc/pam.d/su and probably other fules.
files*
https://kanidm.github.io/kanidm/pam_and_nsswitch.html
There is a troubleshooting section here which is honestly what I'm reading XD
Triss Healy
@trissylegs
Yea. I've been through most of that
I think it'll be something in /etc/pam.d
Firstyear
@Firstyear
Yeah, most likely
Pam is really tricky and delicate at the best of times :(
Triss Healy
@trissylegs
kanidm-unixd logs: https://gist.github.com/trissylegs/e18ba2e03e2728bb68dc8b8f9df902ea
Firstyear
@Firstyear
That all looks happy
content of /etc/pam.d/su ?
It may have include statements, so if those are present, can you provide those files too?
Triss Healy
@trissylegs
From what I gathered. Arch linux pam nearly all includes system-login
Firstyear
@Firstyear
Yeah, but better to check what /etc/pam.d/su actually says :P
Triss Healy
@trissylegs
% cat su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session            required        pam_unix.so
password        include         system-auth
pam.d/su-l is identical
Firstyear
@Firstyear
Yeah, that would be the isses, it's not including system-auth for auth/account/session, it's only using pam_unix
So it only allows local accounts.
Triss Healy
@trissylegs
Ahh
Firstyear
@Firstyear
Have a look at /etc/pam.d/sudo
It's content would likely be more alligned to what you want here.
Triss Healy
@trissylegs
% cat sudo       
#%PAM-1.0
auth        include        system-auth
account        include        system-auth
session        include        system-auth
Firstyear
@Firstyear
Yeah, exactly.
It's includidng system auth
Triss Healy
@trissylegs
I'll get systemauth in a gist it's longer
Firstyear
@Firstyear
I think for su and su-l though here, you'll have to be careful because I think that anyone who matches those assertions can SU.
Honestly, I don't use su much, I use sudo,
But I'd say that would be your issue
Triss Healy
@trissylegs
I think sudo has the same error. (But actually prints pam messages)
Firstyear
@Firstyear
Right, so then we'll need to see system-auth
But getting closer :)
Triss Healy
@trissylegs
So uhhh
Firstyear
@Firstyear
Uh oh.
Triss Healy
@trissylegs
I just run sudo --login and it worked
Firstyear
@Firstyear
Yeah.
But .....
Triss Healy
@trissylegs
$ sudo --user=nirya --login

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for safety: 
acct_mgmt
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
Firstyear
@Firstyear
sudo -s or sudo -i work?
Yeah,
Like I said, that su file, only allows pam_unix
Triss Healy
@trissylegs
Hmmm. Can't login to a tty though?
Firstyear
@Firstyear
Any debug messages there from the tty? IIRC tty's go through a different pam module nd again, may have their own requirements.
I think tty goes though /etc/pam.d/login
Triss Healy
@trissylegs
Ahh sudo might be doing this via pam_rootok.so.
Firstyear
@Firstyear
Possible.