Re: User authentication problem (suspect PAM)

[Louis Guillaume <louis%zabrico.com@localhost>]

On 1/3/15 9:31 PM, John Nemeth wrote:
> On Jan 3,  3:34am, Louis Guillaume wrote:

> } So to sum up:
> }
> }    o All the pieces work fine together, normally.
> }    o Authentication using LDAP succeeds where it should.
> }    o Saslauthd does it's thing with no problem.
> }    o Sendmail does it's thing with no problem.
> }
> }    o Because it takes deleting the local user account to make the
> }      problem go away, I am led to believe that the failure is with
> }      PAM. I think that, when pam_ldap.so fails, it tries the system
> }      config and for some reason it authenticates the user.
>
>       Yes, of course, since that's exactly what you're telling it
> to do.  From "man pam.conf":
>
>       sufficient  If this module succeeds, the chain is broken and the result
>                   is success.  If it fails, the rest of the chain still runs,
>                   but the final result will be failure unless a later module
>                   succeeds.
>
> What the system config does is unknown, since you didn't show it.
>
> }-- End of excerpt from Louis Guillaume


You make a good point - The authentication should stop with LDAP in this 
case (smtp) and "system" should be out of the picture. I've removed the 
"include" for the system config and changed the pam_ldap entry to be 
"required". It's the obvious way to stop the bleeding here.

But I still have to wonder what was causing PAM to successfully 
authenticate the user. Now that I've got things to be sane again, I can 
research further. The latest theory is an old Kerberos account for this 
user (with the old password) was the culprit.

Thank you for your help!

Louis