From owner-freebsd-security@FreeBSD.ORG Sat Mar 19 23:00:15 2005 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 99A6216A4CE for ; Sat, 19 Mar 2005 23:00:15 +0000 (GMT) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26B4A43D2D for ; Sat, 19 Mar 2005 23:00:15 +0000 (GMT) (envelope-from metrol.net@gmail.com) Received: by wproxy.gmail.com with SMTP id 70so743265wra for ; Sat, 19 Mar 2005 15:00:14 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:mime-version:content-type:content-transfer-encoding; b=I8nF9Y+Zu3nl2p5n8IwhRLTc0OugtUxryt1UDm82JNvJHqk6qTY9kqT2mRapGFP342eD4YM/4tmLpYCw0bkHxlbev1EYVWrVw2KXF7awRy3/iqR2SudtPb7BY3PLtoCVNbD4aXGEjrP5upNzSiIHB+6GznU8IxMAlW/SIF8YXIM= Received: by 10.54.7.38 with SMTP id 38mr153813wrg; Sat, 19 Mar 2005 15:00:14 -0800 (PST) Received: by 10.54.51.37 with HTTP; Sat, 19 Mar 2005 15:00:14 -0800 (PST) Message-ID: Date: Sat, 19 Mar 2005 15:00:14 -0800 From: Michael Collette To: FreeBSD Security Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: LDAP and Linux compatibility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Michael Collette List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 19 Mar 2005 23:00:15 -0000 Please excuse a wee bit of cross posting here. It seems that the questions list may not be the appropriate place for this as I've found a number of unanswered posts involving this topic. My FreeBSD workstations are setup with pam_ldap to a centralized openldap server for authentication. This works perfectly for native FreeBSD applications. What I'm running into an issue with are Linux binaries attempting to make a getpwuid_r() call so as to discover the user's uid. So far it seems that the latest Real Player and Adobe Acrobat Reader 7.0 are unable to run without this call functioning. Either application dies with... GLib-WARNING **: getpwuid_r(): failed due to unknown user id I suspect that there are probably several other Linux applications that will have similar problems. The problem is immediately evident with /compat/linux/usr/bin/id when attempting a lookup on an LDAP user. The Linux id command only seems to work on locally stored users. The FreeBSD native id command performs as expected in all cases. The reason I decided to write this mailing list was that it seems that this is more than just a configuration issue. I would have thought that whatever routines are grabbing calls from the Linux apps should be respecting the main system settings. It would appear that what's happening instead is simply a redirect to the local password database. Which now leads into my questions for this list: How do Linux applications determine authorization for users? Do we need linux_pam_ldap, linux_nss_ldap and linux_openldap_client ports to be created to facilitate what I'm talking about? Is there a lower level option of properly masking the Linux call for a uid and returning the appropriate information from the main system? If we're talking about an honest to gosh bug with the system, could someone who has a better understanding of what all is going on give me a hand with putting together a useful PR report? Thanks, -- "When you come to a fork in the road....Take it" - Yogi Berra