From owner-freebsd-stable@FreeBSD.ORG Thu Aug 14 09:34:57 2014 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D712F403 for ; Thu, 14 Aug 2014 09:34:57 +0000 (UTC) Received: from mail.ultra-secure.de (mail.ultra-secure.de [88.198.178.88]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 279192B52 for ; Thu, 14 Aug 2014 09:34:56 +0000 (UTC) Received: (qmail 90458 invoked by uid 89); 14 Aug 2014 09:30:29 -0000 Received: by simscan 1.4.0 ppid: 90453, pid: 90455, t: 0.0701s scanners: attach: 1.4.0 clamav: 0.97.3/m:55/d:19280 Received: from unknown (HELO suse3.ewadmin.local) (rainer@ultra-secure.de@212.71.117.1) by mail.ultra-secure.de with ESMTPA; 14 Aug 2014 09:30:29 -0000 Date: Thu, 14 Aug 2014 11:30:21 +0200 From: Rainer Duffner To: freebsd-stable@freebsd.org Subject: Question about PAM in FreeBSD 9.2+ Message-ID: <20140814113021.3d297996@suse3.ewadmin.local> X-Mailer: Claws Mail 3.9.2 (GTK+ 2.24.22; x86_64-suse-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Aug 2014 09:34:58 -0000 Hi, I've got a pure-ftpd configuration that uses PAM and the following configuration file in /etc/pam.d/pure-ftpd: auth sufficient /usr/local/lib/pam_ldap.so auth required pam_nologin.so auth required pam_unix.so nullok account required pam_permit.so session required pam_permit.so This has worked since FreeBSD 6 (or 5) until FreeBSD 9.1 Howver, after upgrading to FreeBSD 9.2 (and 9.3 and probably 10), it does not work anymore. Mapping UIDs/GIDs from LDAP still works, but login in via FTP does not work anymore. I tried a slightly different pam.d configuration, after studying the handbook: auth sufficient /usr/local/lib/pam_ldap.so debug auth required pam_nologin.so auth required pam_unix.so try_first_pass account required pam_permit.so account required /usr/local/lib/pam_ldap.so debug ignore_authinfo_unavail ignore_unknown_user session required pam_permit.so but this does not work, either. Aug 14 11:21:29 mysrv pure-ftpd: (?@127.0.0.1) [DEBUG] Command [user][myuser] Aug 14 11:21:37 mysrv pure-ftpd: (?@127.0.0.1) [DEBUG] Command [pass] [<*>] Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): calling pam_sm_authenticate() in /usr/local/lib/pam_ldap.so Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_user(): entering Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering: PAM_USER Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_user(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_data(): entering: 'PADL-LDAP-SESSION-DATA' Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_data(): returning PAM_NO_MODULE_DATA Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): entering: 'PADL-LDAP-SESSION-DATA' Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering: PAM_AUTHTOK Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering: PAM_CONV Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): entering: PAM_AUTHTOK Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): entering: PAM_AUTHTOK Aug 14 11:21:37 mysrv pure-ftpd: in pam_get_item(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): entering: 'PADL-LDAP-AUTH-DATA' Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_data(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): entering: PAM_USER Aug 14 11:21:37 mysrv pure-ftpd: in pam_set_item(): returning PAM_SUCCESS Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): /usr/local/lib/pam_ldap.so: pam_sm_authenticate(): success Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): calling pam_sm_setcred() in /usr/local/lib/pam_ldap.so Aug 14 11:21:37 mysrv pure-ftpd: in openpam_dispatch(): /usr/local/lib/pam_ldap.so: pam_sm_setcred(): success Aug 14 11:21:45 mysrv pure-ftpd: (?@127.0.0.1) [DEBUG] Command [quit] [] What changed between FreeBSD 9.1 and FreeBSD 9.2? How can I fix this? Best Regards, Rainer