Where communities thrive


  • Join over 1.5M+ people
  • Join over 100K+ communities
  • Free without limits
  • Create your own community
People
Activity
  • 06:45

    yaleman on radius-python

    clearer messaging when changing… split up the zypper clean from … (compare)

  • 06:44
    yaleman opened #796
  • 04:04

    github-actions[bot] on gh-pages

    deploy: 48e0fd7d210b679a459c8b6… (compare)

  • 03:51

    github-actions[bot] on gh-pages

    deploy: b5794c97a31f61925ab8c47… (compare)

  • 03:43
    yaleman commented #792
  • 03:43

    yaleman on master

    Set default value for SCCACHE_R… (compare)

  • 03:43
    yaleman closed #792
  • 03:39

    yaleman on master

    Change success message to print… (compare)

  • 03:39
    yaleman closed #795
  • 03:39
    yaleman commented #795
  • 03:29
    trissylegs opened #795
  • 01:39
    Firstyear commented #792
  • 01:38
    Firstyear commented #794
  • May 28 11:06
    yaleman commented #794
  • May 28 10:53

    github-actions[bot] on gh-pages

    deploy: 790db7ea1de0ca87a1d7e9d… (compare)

  • May 28 10:48
    yaleman commented #792
  • May 28 10:42
    yaleman commented #793
  • May 28 10:42

    yaleman on master

    Add domain key to example serve… (compare)

  • May 28 10:42
    yaleman closed #793
  • May 28 08:11
    kellinm opened #794
Firstyear
@Firstyear
content of /etc/pam.d/su ?
It may have include statements, so if those are present, can you provide those files too?
Triss Healy
@trissylegs
From what I gathered. Arch linux pam nearly all includes system-login
Firstyear
@Firstyear
Yeah, but better to check what /etc/pam.d/su actually says :P
Triss Healy
@trissylegs
% cat su
#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            required        pam_unix.so
account         required        pam_unix.so
session            required        pam_unix.so
password        include         system-auth
pam.d/su-l is identical
Firstyear
@Firstyear
Yeah, that would be the isses, it's not including system-auth for auth/account/session, it's only using pam_unix
So it only allows local accounts.
Triss Healy
@trissylegs
Ahh
Firstyear
@Firstyear
Have a look at /etc/pam.d/sudo
It's content would likely be more alligned to what you want here.
Triss Healy
@trissylegs
% cat sudo       
#%PAM-1.0
auth        include        system-auth
account        include        system-auth
session        include        system-auth
Firstyear
@Firstyear
Yeah, exactly.
It's includidng system auth
Triss Healy
@trissylegs
I'll get systemauth in a gist it's longer
Firstyear
@Firstyear
I think for su and su-l though here, you'll have to be careful because I think that anyone who matches those assertions can SU.
Honestly, I don't use su much, I use sudo,
But I'd say that would be your issue
Triss Healy
@trissylegs
I think sudo has the same error. (But actually prints pam messages)
Firstyear
@Firstyear
Right, so then we'll need to see system-auth
But getting closer :)
Triss Healy
@trissylegs
So uhhh
Firstyear
@Firstyear
Uh oh.
Triss Healy
@trissylegs
I just run sudo --login and it worked
Firstyear
@Firstyear
Yeah.
But .....
Triss Healy
@trissylegs
$ sudo --user=nirya --login

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for safety: 
acct_mgmt
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
Firstyear
@Firstyear
sudo -s or sudo -i work?
Yeah,
Like I said, that su file, only allows pam_unix
Triss Healy
@trissylegs
Hmmm. Can't login to a tty though?
Firstyear
@Firstyear
Any debug messages there from the tty? IIRC tty's go through a different pam module nd again, may have their own requirements.
I think tty goes though /etc/pam.d/login
Triss Healy
@trissylegs
Ahh sudo might be doing this via pam_rootok.so.
Firstyear
@Firstyear
Possible.
I'm gonna have to run off shortly though, friends coming for dinner.
But I think you're on the right track now?
If not, I'll look in a few hours :)
Triss Healy
@trissylegs
Ok I'm going fiddle with PAM settings until this works
nirya@Asuka ~ % sudo 'echo test'
[sudo] password for nirya: 
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
acct_mgmt
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
sudo: PAM account management error: Authentication service cannot retrieve authentication info
sudo: a password is required
Firstyear
@Firstyear
Have yo uset a posix pw on the account?
Triss Healy
@trissylegs
Pretty sure
I'll do it again
It did not fix it
Triss Healy
@trissylegs
# pamtester sudo nirya authenticate
sm_authenticate
args -> ["debug", "ignore_unknown_user"]
opts -> Options { debug: true, use_first_pass: false, ignore_unknown_user: true }
Password: 

pamtester: successfully authenticated
So It's failing after authenticate
Triss Healy
@trissylegs
Ok I can log-in now:
This appeared to be the culprit:
account    required                    pam_unix.so
Logged via GDM works too
Triss Healy
@trissylegs
pffftt. pkexec fails if debug is enabled because the debug messages break its auth helper
Firstyear
@Firstyear
Yeah, look at the suse pam configs @trissylegs 
# /etc/pam.d/common-auth-pc
auth        required      pam_env.so
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_kanidm.so ignore_unknown_user
auth        required      pam_deny.so
Note the "pam_localuser.so"? With default=1? That means "if the account is NOT local, jump one module."