donapieppo / libnss-ato Goto Github PK

Greetings once again,

I wrote my own module (and actually ripped a function or two from yours 😄),
and I am having some issues assigning the group id.

On Debian, the users group is 100, however, the MIN_GID_NUMBER is set to 1000 (See: http://www.linfo.org/uid.html).

Source:

• https://github.com/CyberNinjas/libnss_aad/tree/misc_fixes

Hi,
I am trying to configure a setting where the first authentication method is Radius, if it fails, then use the local passwd file to authenticate. I have my nsswitch.conf file configured as follows and I also have a valid RADIUS server configured:

passwd: ato files
group: files
shadow: ato files
gshadow: files

With this setting, I am not able to authenticate the local users that is on the /etc/passwd file.
However, if the settings are reversed as 'files ato', I am able to authenticate both local and radius users. Do you know if this is a known bug or am I missing a configuration somewhere?

Thank you!

I am trying to compile the library in Apline and it seems that fgetpwent is not available in musl. Since my use case does not require an actual user I will probably solve it with hardcoding, but would there be any interest in making config file not dependant on GNU code? Are there any downsides of manually parsing the config file?

Is it possible to limit libnss ato functionality to skip names like "test_name.test_group". This creates an issue that command like "chown test_user.test_group a" to treat "test_user.test_group" as a username where chown would want "test_user" as username and "test_group" as the usergroup.
Same is the issue with "test_user:test_group"

Hi All,

It looks like this project is not maintained anymore (Last commit was 4 years ago).

I'm looking for an equivalent or better alternative for libnss-ato which is actively maintained. Any suggestions?
Thanks.

I am using this library with pam_tacacs. I can log in with tacacs user as a configured user in conf. But I can't switch to root. How to specify more groups ?

because when I run id test_user

I am getting

id=1000(test_user) gid=1000(test_user) groups=1000(test_user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),111(lpadmin),112(sambashare)

and when I am logged in with tacacs user test_user and I run id I'm getting only

uid=1000(test_user) gid=1000(test_user) groups=1000(test_user)

in passwd it's like:

test_user:x:1000:1000:Test User,,,:/home/jrebjak:/bin/bash

and in libnss-ato.conf I have

test_user:x:1000:1000,27:Test User,,,:/home/jrebjak:/bin/bash

I'm not able to use the plugin with the root user but it works with another user.

Here is the config I'm using:

root:x:0:0:Root:/root:/bin/bash

Here are the logs I see (/var/log/secure):

sshd[2235]: Accepted password for myuser from 172.20.0.1 port 46328 ssh2
sshd[2235]: pam_systemd(sshd:session): Failed to create session: No such file or directory
sshd[2235]: pam_unix(sshd:session): session opened for user myuser by (uid=0)
sshd[2235]: fatal: login_get_lastlog: Cannot find account for uid 500
sshd[2235]: pam_unix(sshd:session): session closed for user myuser
sshd[2235]: syslogin_perform_logout: logout() returned an error
sshd[2238]: fatal: mm_request_send: write: Broken pipe

I confirm that it works with a non-root user.

Am I missing something?

The license file (./copyright) is very clear that the project is protected by the general GPL.

However, in a comment in a C file I notice that a comment that seems to indicate the LGPL.

libnss_ato.c

Lines 9-10
* this product may be distributed under the terms of
* the GNU Lesser Public License

Can we get clarity on which is the correct license and perhaps a correction to one or the other file so that only one license is referenced in the project?

cat /etc/libnss-ato.conf
ubuntu:x:1000:1000::/home/ubuntu:/bin/bash
getent passwd jnchi
jnchi:x:1000:1000::/home/ubuntu:/bin/bash
passwd jnchi
passwd: Authentication token manipulation error
passwd: password unchanged

I am working on a PAM module to authenticate against Azure Active Directory (See: CyberNinjas/pam_aad).

See also: CyberNinjas/pam_aad#21 (comment)

With libnss-ato in action, new (local) users cannot be created on system. I believe this is a known limitation with this library. Can it be selectively used for remote users only (in case of TACACS+/RADIUS/LDAP auth)?

Tried the below test after installing from source on CentOS 7 Vanilla

If you add libnss-ato to the chain of nss modules (in /etc/nsswitch.conf) you get something like:
]$ id randomname ]$ uid=1000(user_test) gid=1000 groups=1000
for every query of a random username not present in /etc/passwd.

Got the below output

# id randomuser
id: randomuser:  no such user
#

Is there anything else to be done on CentOS 7 specially, I got this working on Centos 6 without any issues.
Please let me know for any additional information.

Thanks.