From owner-freebsd-stable@FreeBSD.ORG  Tue Oct 15 10:05:40 2013
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTP id 5F7196EC
 for <freebsd-stable@FreeBSD.org>; Tue, 15 Oct 2013 10:05:40 +0000 (UTC)
 (envelope-from rainer@ultra-secure.de)
Received: from mail.ultra-secure.de (mail.ultra-secure.de [78.47.114.122])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id A313E21D7
 for <freebsd-stable@FreeBSD.org>; Tue, 15 Oct 2013 10:05:39 +0000 (UTC)
Received: (qmail 37670 invoked by uid 89); 15 Oct 2013 10:05:30 -0000
Received: by simscan 1.4.0 ppid: 37665, pid: 37667, t: 0.0382s
 scanners: attach: 1.4.0 clamav: 0.97.3/m:55/d:17962
Received: from unknown (HELO suse3) (rainer@ultra-secure.de@212.71.117.1)
 by mail.ultra-secure.de with ESMTPA; 15 Oct 2013 10:05:30 -0000
Date: Tue, 15 Oct 2013 12:05:29 +0200
From: Rainer Duffner <rainer@ultra-secure.de>
To: freebsd-stable@FreeBSD.org
Subject: question about PAM in 9.2
Message-ID: <20131015120529.0fdb56c2@suse3>
X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.10; x86_64-suse-linux-gnu)
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-BeenThere: freebsd-stable@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Production branch of FreeBSD source code <freebsd-stable.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-stable>
List-Post: <mailto:freebsd-stable@freebsd.org>
List-Help: <mailto:freebsd-stable-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-stable>,
 <mailto:freebsd-stable-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Oct 2013 10:05:40 -0000

Hi,


we have been using pure-ftpd to authenticate via PAM from our
ldap-server for some time (the ldap-server was built in 2006...).


I've got the following in /etc/pam.d/pure-ftpd

auth    sufficient      /usr/local/lib/pam_ldap.so
auth    required        pam_nologin.so
auth    required        pam_unix.so     nullok

account required        pam_permit.so

session required        pam_permit.so


This worked from probably FreeBSD 5.0 and before (longer than I've been
at the company...) until 9.1, then, with the upgrade to 9.2, users can
no longer login (LDAP or local does not matter).
It has nothing to do with the versions of various ldap-related ports
(at least not obviously), because the same set of packages does work
with 9.1.

Upon trying to login, this is in /var/log/messages:

Oct 15 11:10:27 server1 pure-ftpd: in openpam_dispatch():
pam_nologin.so: no pam_sm_setcred()
Oct 15 11:10:27 server1 pure-ftpd: in openpam_check_error_code():
pam_sm_setcred(): unexpected return value 
4 Oct 15 11:10:30 server1 pure-ftpd: (?@127.0.0.1) [WARNING]
Authentication failed for user [demo]



Can anyone shed any light on this?

What did change between 9.1 and 9.2?


Best Regards,
Rainer