特殊:Badtitle/NS100:PamCcredsHowto:修订间差异

来自Ubuntu中文
跳到导航跳到搜索
Oneleaf留言 | 贡献
无编辑摘要
Wikibot留言 | 贡献
无编辑摘要
 
(未显示同一用户的5个中间版本)
第1行: 第1行:
{{From|https://help.ubuntu.com/community/PamCcredsHowto}}
{{From|https://help.ubuntu.com/community/PamCcredsHowto}}
{{Languages|UbuntuHelp:PamCcredsHowto}}
{{Languages|UbuntuHelp:PamCcredsHowto}}
 
<<Include(Tag/StyleCleanup)>>
 
<<Include(Tag/NeedsExpansion)>>
Instructions to install & configure libpam-ccreds on Ubuntu 5.10
<<Include(Tag/Unsupported)>>
 
Install & configure libpam-ccreds on Ubuntu 5.10, 7.04, 7.10, 8.04.
=== Preface ===
=== Introduction ===
==== Cached Credentials? ====
Your username and password are your credentials.  Cached credentials are very useful for laptops on which user authentication is done via LDAP server. You are still able to authenticate with the accustomed login credentials when the LDAP server is not reachable.
Cached credentials are very useful for mobile computers (e.g. notebooks) on which user authentication is done via LDAP server. With cached credentials you are still able to authenticate with the accustomed login credentials when the LDAP server is not reachable.<br>
I will give a brief explanation on PAM. Linux-PAM is a system of libraries that handles all authentication in Ubuntu by default. A PAM is a ''Pluggable Authentication Module'' that is handled by Linux-PAM. Each module represents a particular authentication mechanism, and is named pam_xxxxx.so. pam_unix.so handles basic linux authentication using the /etc/passwd, /etc/group and /etc/shadow files. pam_ldap handles authentication using an LDAP database. And so on.
==== Warning! ====
=== Installation ===
The packages needed for this feature are linked against libdb. To my experience all packages need to be linked against the same libdb to make everything work properly. This is not the case with ubuntu 5.10 were the installed packages would be the following:
Install the necessary packages.
{|border="1" cellspacing="0"
|libnss-db||2.2-6.3ubuntu1||libdb3
|-
|libpam-ccreds||1-3||libdb4.3
|-
|nss-updatedb||4-1||libdb4.3
|}
Instead of libnss-db (2.2-6.3) i installed libnss-db (2.2.3) from the current debian testing (etch).
{|border="1" cellspacing="0"
|libnss-db||2.2.3pre1-1||libdb4.3
|}
 
=== nss-updatedb ===
 
Caches name service directories (passwd and group) locally in /var/lib/misc/passwd.db and /var/lib/misc/group.db.
 
To install the package open a terminal and type:
<pre><nowiki>
<pre><nowiki>
sudo apt-get install nss-updatedb
sudo apt-get install nss-updatedb libnss-db libpam-ccreds
</nowiki></pre>
</nowiki></pre>
 
=== nss-updatedb ===
When a connection to the ldap server is available run
Caches name service directories (passwd and group) locally.  When a connection to the ldap server is available, create passwd.db and group.db.
<pre><nowiki>
<pre><nowiki>
sudo nss_updatedb ldap
sudo nss_updatedb ldap
  passwd... done.
  group... done.
ls -l /var/lib/misc/*.db
  -rw-r--r-- 1 root root 8192 2008-08-26 18:20 /var/lib/misc/group.db
  -rw-r--r-- 1 root root 8192 2008-08-26 18:20 /var/lib/misc/passwd.db
</nowiki></pre>
</nowiki></pre>
once to create/update the passwd and group cache.
Use anacron to run this no earlier than 5 minutes after boot-up, once a day only.  
If this is the first time you run this command, check if /var/lib/passwd.db and /var/lib/misc/group.db have been created.
You should add a cron job that does this task for you once in a while.
 
=== libnss-db ===
 
NSS module for using Berkeley Databases as a naming service.<br>
This is needed to enable NSS to read the cached name service directories (passwd and group).
As mentioned above the libnss-db package from breezy/main is linked against libdb3 and will ''not'' work with nss-updatedb from breezy/universe. To circumvent this problem we need a package that is linked against libdb4.3 and auses no further dependencies. I recommend the libnss-db package from Debian testing (etch) which can be downloaded from [http://packages.debian.org/testing/admin/libnss-db].
To install the package open a terminal and type:
<pre><nowiki>
<pre><nowiki>
sudo dpkg -i libnss-db_2.2.3pre1-1_i386
echo '#!/bin/sh'              | sudo tee    /etc/cron.daily/upd-local-nss-db
echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.daily/upd-local-nss-db
sudo chmod +x /etc/cron.daily/upd-local-nss-db
</nowiki></pre>
</nowiki></pre>
 
=== libnss-db ===
(the package in Gutsy has the right version so you just can apt-get install libnss-db it)  
NSS module for using Berkeley Databases as a naming service.  This is needed to enable NSS to read the cached name service directories (passwd and group).
 
Edit /etc/nsswitch.conf:
Edit /etc/nsswitch.conf:
<pre><nowiki>
<pre><nowiki>
第56行: 第36行:
group: files ldap [NOTFOUND=return] db
group: files ldap [NOTFOUND=return] db
</nowiki></pre>
</nowiki></pre>
''[NOTFOUND=return]'' is just added for performance reasons. If PAM finds the user in the ldap directory, searching stops.
This means:
 
* look first in the local files (/etc/passwd and /etc/group)
You can test if passwd and group are cached properly by disconnecting the network connection (e.g. ifdown eth0) and typing:
* if not found, use LDAP
* when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
* if the LDAP server was not reachable, proceed with using the cached data
You can test if passwd and group are cached properly by disconnecting the network connection and listing the users:
<pre><nowiki>
<pre><nowiki>
ifdown eth0
sudo getent passwd
sudo getent passwd
</nowiki></pre>
</nowiki></pre>
This should return the local user plus the users from the ldap server cache in the passwd.db.
This should return the local user plus the users from the ldap server cache in the passwd.db.
=== libpam-ccreds ===
=== libpam-ccreds ===
 
Pam module to cache authentication credentials (i.e. passwords) locally in /var/cache/.security.db.
Pam module to cache authentication credentials (i.e. passwords) locally in /var/cache/.shadow.db .
You need to edit /etc/pam.d/'''common-auth''' as follows:
 
To install the package open a terminal and type:
<pre><nowiki>
sudo apt-get install libpam-ccreds
</nowiki></pre>
 
auth [success=done default=ignore] pam_unix.so nullok_secure
auth [authinfo_unavail=ignore success=done default=ignore] pam_ldap.so use_first_pass debug
auth [default=done] pam_ccreds.so action=validate use_first_pass
 
=== Editing the PAM File ===
 
You need to edit /etc/pam.d/common-auth as followes:
<pre><nowiki>
<pre><nowiki>
auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass
auth [success=done default=ignore] pam_unix.so nullok_secure try_first_pass
# If LDAP is unavailable, go to next line.  If authentication via LDAP is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2 lines.
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
auth [default=done] pam_ccreds.so action=validate use_first_pass
第87行: 第59行:
auth [default=bad] pam_ccreds.so action=update
auth [default=bad] pam_ccreds.so action=update
</nowiki></pre>
</nowiki></pre>
 
For Feisty only, if you get an error after "You have been logged on using cached credentials"
If you get an error after "You have been logged on using cached credentials"
saying  "Authentication service cannot retrieve authentication info" you might need to make some more changes to your common-account file. Add the following line to ''/etc/pam.d/common-account'':
saying  "Authentication service cannot retrieve authentication info" you might need to make some more changes to your common-account file. This seems to only effect feisty.
 
You need to add the following line to /etc/pam.d/common-account:
<pre><nowiki>
<pre><nowiki>
account required        pam_permit.so
account required        pam_permit.so
</nowiki></pre>
</nowiki></pre>
 
If you are using Gutsy or Hardy you should have these lines in /etc/pam.d/'''common-account'''.
If you are using Gutsy you should have these lines in /etc/pam.d/common-account instead
<pre><nowiki>
<pre><nowiki>
account    [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so
account    [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so
第102行: 第70行:
account    required      pam_permit.so
account    required      pam_permit.so
</nowiki></pre>
</nowiki></pre>
After the file is adjusted properly you must login while connected to the LDAP server once to make libpam-ccreds store your password. After that you will be able to login while not connected to the ldap server as usual.
After the file is adjusted properly you must login while connected to the LDAP server once to make libpam-ccreds store your password. After that you will be able to login while not connected to the ldap server as usual.
 
In a fresh install of Hardy, pam_foreground.so does not exist.  Comment out the pam_foreground line in /etc/pam.d/'''common-session'''. This removes this error from /var/log/auth.log - 'PAM [error: /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory]'.  Until you fix this, you may not be able to use GUI programs that are used to change system settings - eg. the network manager.
 
<pre><nowiki>
session    required    pam_unix.so
session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    optional    pam_ldap.so
#session    optional    pam_foreground.so
</nowiki></pre>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=important.pngThere is a problem with libnss-ldap where, even for system users listed in ''/etc/passwd'', LDAP is contacted to find out if the user is in any LDAP groups.  This can cause the system to come to a virtual stand-still if the LDAP server is unavailable.  To get around this problem, there is a directive called nss_initgroups_ignoreusers.  List all your local system accounts after this directive.  The article [http://www.nabble.com/nsswitch.conf-issues-with-LDAP-Auth--td6259466.html] suggests the following options in '''/etc/ldap.conf'''.
<pre><nowiki>
  timelimit 15
  bind_timelimit 15
  bind_policy soft
  nss_initgroups_ignoreusers root,sys,... and all your other local system accounts in /etc/passwd ...
</nowiki></pre>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=important.pngIf you have chosen to list all users in the initial logon dialog, this might crash when the LDAP server is unavailable.  If so, disable this by setting the following line in '''/etc/gdm/gdm.conf-custom''' in the '''[greeter]''' section.
<pre><nowiki>
[greeter]
  :  :
IncludeAll=false
  :  :
</nowiki></pre>
=== Testing ===
The easiest way to test is by using ''su''.  While the LDAP server is available do something like this and check that .security.db has been updated.
<pre><nowiki>
ls -l /var/cache/.security.db
  -rw------- 1 root root 8192 2008-08-28 08:31 /var/cache/.security.db
date
  Thu Aug 28 10:09:03 EST 2008
su fred
  Password:
  exit
ls -l /var/cache/.security.db
  -rw------- 1 root root 8192 2008-08-28 10:09 /var/cache/.security.db
# the time stamp on .security.db shows that is has been updated with fred's password
</nowiki></pre>
You can run ''cc_dump''.  This is part of the libpam-ccreds package, and shows what passwords are stored in .security.db.
<pre><nowiki>
sudo cc_dump
  Credential Type  User            Service  Cached Credentials 
  ----------------------------------------------------------------------------------
  Salted SHA1      fred            any    4a985b233701cf106ed450a0168fa8e0aa86ef5d
</nowiki></pre>
https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=important.pngThis failed for me when the user account's password was not encrypted as {SSHA} in the LDAP database. Using smbldap-passwd to change the password fixed this problem. 
Now disconnect the PC from the network (or shutdown the LDAP service) and do similar to this.
<pre><nowiki>
su fred
  Password:
  You have been logged on using cached credentials.
  exit
# It works!
</nowiki></pre>
=== Warning for Ubuntu 5.01 Only ===
The packages needed for this feature are linked against libdb. To my experience all packages need to be linked against the same libdb to make everything work properly. This is not the case with ubuntu 5.10 were the installed packages would be the following:
{|border="1" cellspacing="0"
|libnss-db||2.2-6.3ubuntu1||libdb3
|-
|libpam-ccreds||1-3||libdb4.3
|-
|nss-updatedb||4-1||libdb4.3
|}
Instead of libnss-db (2.2-6.3) i installed libnss-db (2.2.3) from the current debian testing (etch).
{|border="1" cellspacing="0"
|libnss-db||2.2.3pre1-1||libdb4.3
|}
As mentioned above the libnss-db package from breezy/main is linked against libdb3 and will ''not'' work with nss-updatedb from breezy/universe. To circumvent this problem we need a package that is linked against libdb4.3 and auses no further dependencies. I recommend the libnss-db package from Debian testing (etch) which can be downloaded from [http://packages.debian.org/testing/admin/libnss-db].
To install the package open a terminal and type:
<pre><nowiki>
sudo dpkg -i libnss-db_2.2.3pre1-1_i386
</nowiki></pre>
=== Further Information ===
=== Further Information ===
/usr/share/doc/nss-updatedb/*<br>
/usr/share/doc/nss-updatedb/*<<BR>>
/usr/share/doc/libpam-ccreds/*<br>
/usr/share/doc/libpam-ccreds/*<<BR>>
[http://www.padl.com/OSS/nss_updatedb.html]<br>
[http://www.padl.com/OSS/nss_updatedb.html]<<BR>>
[http://www.padl.com/OSS/pam_ccreds.html]<br>
[http://www.padl.com/OSS/pam_ccreds.html]<<BR>>
[http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html]<br>
[http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html]<<BR>>
 
[[category:CategoryDocumentation]] [[category:CategoryCleanup]]


[[category:UbuntuHelp]]
[[category:UbuntuHelp]]

2010年5月19日 (三) 23:50的最新版本

{{#ifexist: :PamCcredsHowto/zh | | {{#ifexist: PamCcredsHowto/zh | | {{#ifeq: {{#titleparts:PamCcredsHowto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:PamCcredsHowto|1|-1|}} | zh | | }}

<<Include(Tag/StyleCleanup)>> <<Include(Tag/NeedsExpansion)>> <<Include(Tag/Unsupported)>> Install & configure libpam-ccreds on Ubuntu 5.10, 7.04, 7.10, 8.04.

Introduction

Your username and password are your credentials. Cached credentials are very useful for laptops on which user authentication is done via LDAP server. You are still able to authenticate with the accustomed login credentials when the LDAP server is not reachable. I will give a brief explanation on PAM. Linux-PAM is a system of libraries that handles all authentication in Ubuntu by default. A PAM is a Pluggable Authentication Module that is handled by Linux-PAM. Each module represents a particular authentication mechanism, and is named pam_xxxxx.so. pam_unix.so handles basic linux authentication using the /etc/passwd, /etc/group and /etc/shadow files. pam_ldap handles authentication using an LDAP database. And so on.

Installation

Install the necessary packages.

sudo apt-get install nss-updatedb libnss-db libpam-ccreds

nss-updatedb

Caches name service directories (passwd and group) locally. When a connection to the ldap server is available, create passwd.db and group.db.

sudo nss_updatedb ldap
  passwd... done.
  group... done.
ls -l /var/lib/misc/*.db
  -rw-r--r-- 1 root root 8192 2008-08-26 18:20 /var/lib/misc/group.db
  -rw-r--r-- 1 root root 8192 2008-08-26 18:20 /var/lib/misc/passwd.db

Use anacron to run this no earlier than 5 minutes after boot-up, once a day only.

echo '#!/bin/sh'               | sudo tee    /etc/cron.daily/upd-local-nss-db
echo `which nss_updatedb` ldap | sudo tee -a /etc/cron.daily/upd-local-nss-db
sudo chmod +x /etc/cron.daily/upd-local-nss-db

libnss-db

NSS module for using Berkeley Databases as a naming service. This is needed to enable NSS to read the cached name service directories (passwd and group). Edit /etc/nsswitch.conf:

passwd:		files ldap [NOTFOUND=return] db
group:		files ldap [NOTFOUND=return] db

This means:

  • look first in the local files (/etc/passwd and /etc/group)
  • if not found, use LDAP
  • when LDAP does not have user information, exit and return nothing (this is the [NOTFOUND=return] directive)
  • if the LDAP server was not reachable, proceed with using the cached data

You can test if passwd and group are cached properly by disconnecting the network connection and listing the users:

ifdown eth0
sudo getent passwd

This should return the local user plus the users from the ldap server cache in the passwd.db.

libpam-ccreds

Pam module to cache authentication credentials (i.e. passwords) locally in /var/cache/.security.db. You need to edit /etc/pam.d/common-auth as follows:

auth	[success=done default=ignore]	pam_unix.so nullok_secure try_first_pass
# If LDAP is unavailable, go to next line.  If authentication via LDAP is successful, skip 1 line.
# If LDAP is available, but authentication is NOT successful, skip 2 lines.
auth	[authinfo_unavail=ignore success=1 default=2] pam_ldap.so use_first_pass
auth	[default=done]	pam_ccreds.so action=validate use_first_pass
auth	[default=done]	pam_ccreds.so action=store
auth	[default=bad]	pam_ccreds.so action=update

For Feisty only, if you get an error after "You have been logged on using cached credentials" saying "Authentication service cannot retrieve authentication info" you might need to make some more changes to your common-account file. Add the following line to /etc/pam.d/common-account:

account required        pam_permit.so

If you are using Gutsy or Hardy you should have these lines in /etc/pam.d/common-account.

account     [user_unknown=ignore authinfo_unavail=ignore default=done] pam_unix.so
account     [user_unknown=ignore authinfo_unavail=ignore default=done] pam_ldap.so
account     required       pam_permit.so

After the file is adjusted properly you must login while connected to the LDAP server once to make libpam-ccreds store your password. After that you will be able to login while not connected to the ldap server as usual. In a fresh install of Hardy, pam_foreground.so does not exist. Comment out the pam_foreground line in /etc/pam.d/common-session. This removes this error from /var/log/auth.log - 'PAM [error: /lib/security/pam_foreground.so: cannot open shared object file: No such file or directory]'. Until you fix this, you may not be able to use GUI programs that are used to change system settings - eg. the network manager.

session    required     pam_unix.so
session    required     pam_mkhomedir.so skel=/etc/skel/ umask=0077
session    optional     pam_ldap.so
#session    optional     pam_foreground.so

https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=important.pngThere is a problem with libnss-ldap where, even for system users listed in /etc/passwd, LDAP is contacted to find out if the user is in any LDAP groups. This can cause the system to come to a virtual stand-still if the LDAP server is unavailable. To get around this problem, there is a directive called nss_initgroups_ignoreusers. List all your local system accounts after this directive. The article [1] suggests the following options in /etc/ldap.conf.

  timelimit 15
  bind_timelimit 15
  bind_policy soft
  nss_initgroups_ignoreusers root,sys,... and all your other local system accounts in /etc/passwd ...

https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=important.pngIf you have chosen to list all users in the initial logon dialog, this might crash when the LDAP server is unavailable. If so, disable this by setting the following line in /etc/gdm/gdm.conf-custom in the [greeter] section.

[greeter]
  :  :
IncludeAll=false
  :  :

Testing

The easiest way to test is by using su. While the LDAP server is available do something like this and check that .security.db has been updated.

ls -l /var/cache/.security.db 
  -rw------- 1 root root 8192 2008-08-28 08:31 /var/cache/.security.db
date
  Thu Aug 28 10:09:03 EST 2008
su fred
  Password: 
  exit
ls -l /var/cache/.security.db 
  -rw------- 1 root root 8192 2008-08-28 10:09 /var/cache/.security.db
# the time stamp on .security.db shows that is has been updated with fred's password

You can run cc_dump. This is part of the libpam-ccreds package, and shows what passwords are stored in .security.db.

sudo cc_dump 
  Credential Type  User             Service  Cached Credentials  
  ----------------------------------------------------------------------------------
  Salted SHA1      fred             any     4a985b233701cf106ed450a0168fa8e0aa86ef5d

https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=important.pngThis failed for me when the user account's password was not encrypted as {SSHA} in the LDAP database. Using smbldap-passwd to change the password fixed this problem. Now disconnect the PC from the network (or shutdown the LDAP service) and do similar to this.

su fred
  Password: 
  You have been logged on using cached credentials.
  exit
# It works!

Warning for Ubuntu 5.01 Only

The packages needed for this feature are linked against libdb. To my experience all packages need to be linked against the same libdb to make everything work properly. This is not the case with ubuntu 5.10 were the installed packages would be the following:

libnss-db 2.2-6.3ubuntu1 libdb3
libpam-ccreds 1-3 libdb4.3
nss-updatedb 4-1 libdb4.3

Instead of libnss-db (2.2-6.3) i installed libnss-db (2.2.3) from the current debian testing (etch).

libnss-db 2.2.3pre1-1 libdb4.3

As mentioned above the libnss-db package from breezy/main is linked against libdb3 and will not work with nss-updatedb from breezy/universe. To circumvent this problem we need a package that is linked against libdb4.3 and auses no further dependencies. I recommend the libnss-db package from Debian testing (etch) which can be downloaded from [2]. To install the package open a terminal and type:

sudo dpkg -i libnss-db_2.2.3pre1-1_i386

Further Information

/usr/share/doc/nss-updatedb/*<
> /usr/share/doc/libpam-ccreds/*<
> [3]<
> [4]<
> [5]<
>