SU does just gives "su: incorrect password"
Brought to you by:
cinergi
Menu
▾
▴
I have installed libnss_mysql on fedora 4 with mysql 4.1.11.
When I do a tcpdump on activity to the mysql server I find that it does 3 lookups for the information and then bombs out with "su: incorrect password". I have used the same config, pam files, nsswitch.conf files with other versions of redhat and all seems to work but not with the fedora.
Here is a debug.
[7254]: _nss_mysql_getpwnam_r: ENTER
[7254]: _nss_mysql_lookup: ENTER
[7254]: _nss_mysql_lookup: restricted = 0, cur_euid = 0
[7254]: _nss_mysql_init: ENTER
[7254]: _nss_mysql_load_config: ENTER
[7254]: _nss_mysql_load_config_file: ENTER
[7254]: _nss_mysql_load_config_file: Attempting to load: /etc/libnss-mysql.cfg
[7254]: _nss_mysql_load_config_file: fopen() successful
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getpwnam -> SELECT UserName,'x',UID,GID,Gecos,HomeDir,Shell FROM radius.usergroup WHERE UserName='%1$s' LIMIT 1
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getpwuid -> SELECT username,'x',uid,gid,gecos,homedir,shell FROM radius.usergroup WHERE uid='%1$u' LIMIT 1
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getspnam -> SELECT username,password,lstchg,min,max,warn,inact,expire,flag FROM users WHERE username='%1$s' LIMIT 1
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getpwent -> SELECT UserName,'x',UID,GID,Gecos,HomeDir,Shell FROM usergroup
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getspent -> SELECT username,password,lstchg,min,max,warn,inact,expire,flag FROM users
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getgrnam -> SELECT name,password,gid FROM groups WHERE name='%1$s' LIMIT 1
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getgrgid -> SELECT name,password,gid FROM groups WHERE gid='%1$u' LIMIT 1
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: getgrent -> SELECT name,password,gid FROM groups
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: memsbygid -> SELECT username FROM grouplist WHERE gid='%1$u'
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: gidsbymem -> SELECT gid FROM grouplist WHERE username='%1$s'
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: host -> 10.0.0.1
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: database -> radius
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: username -> nss
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: password -> password
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: EXIT (FALSE)
[7254]: _nss_mysql_load_config_file: EXIT
[7254]: _nss_mysql_load_config_file: ENTER
[7254]: _nss_mysql_load_config_file: Attempting to load: /etc/libnss-mysql-root.cfg
[7254]: _nss_mysql_load_config_file: fopen() successful
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: username -> nss
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: Found: password -> password
[7254]: _nss_mysql_next_key: EXIT (TRUE)
[7254]: _nss_mysql_next_key: ENTER
[7254]: _nss_mysql_next_key: EXIT (FALSE)
[7254]: _nss_mysql_load_config_file: EXIT
[7254]: _nss_mysql_validate_config: ENTER
[7254]: _nss_mysql_validate_config: EXIT (TRUE)
[7254]: _nss_mysql_load_config: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_init: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_config: ENTER
[7254]: _nss_mysql_load_config: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_build_query: ENTER
[7254]: _nss_mysql_build_query: BYNAME, name = 'test'
[7254]: _nss_mysql_escape_string: ENTER
[7254]: _nss_mysql_connect_sql: ENTER
[7254]: _nss_mysql_check_existing_connection: ENTER
[7254]: _nss_mysql_check_existing_connection: EXIT (FALSE)
[7254]: _nss_mysql_load_config: ENTER
[7254]: _nss_mysql_load_config: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_set_options: ENTER
[7254]: _nss_mysql_set_options: EXIT
[7254]: _nss_mysql_connect_sql: Connecting to 10.0.0.1
[7254]: _nss_mysql_save_socket_info: ENTER
[7254]: _nss_mysql_save_socket_info: EXIT (SUCCESS)
[7254]: _nss_mysql_connect_sql: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_escape_string: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_reset_ent: ENTER
[7254]: _nss_mysql_close_result: ENTER
[7254]: _nss_mysql_close_result: EXIT
[7254]: _nss_mysql_reset_ent: EXIT
[7254]: _nss_mysql_build_query: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_run_query: ENTER
[7254]: _nss_mysql_run_query: Executing query: SELECT UserName,'x',UID,GID,Gecos,HomeDir,Shell FROM radius.usergroup WHERE UserName='test' LIMIT 1
[7254]: _nss_mysql_connect_sql: ENTER
[7254]: _nss_mysql_check_existing_connection: ENTER
[7254]: _nss_mysql_validate_socket: ENTER
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_validate_socket: EXIT (TRUE)
[7254]: _nss_mysql_check_existing_connection: EXIT (TRUE)
[7254]: _nss_mysql_connect_sql: Using existing connection
[7254]: _nss_mysql_connect_sql: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_run_query: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_passwd: ENTER
[7254]: _nss_mysql_fetch_row: ENTER
[7254]: _nss_mysql_fetch_row: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_passwd: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_close_result: ENTER
[7254]: _nss_mysql_close_result, calling mysql_free_result()
[7254]: _nss_mysql_close_result: EXIT
[7254]: _nss_mysql_lookup: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_getpwnam_r: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_getpwnam_r: ENTER
[7254]: _nss_mysql_lookup: ENTER
[7254]: _nss_mysql_lookup: restricted = 0, cur_euid = 0
[7254]: _nss_mysql_init: ENTER
[7254]: _nss_mysql_load_config: ENTER
[7254]: _nss_mysql_load_config: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_init: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_config: ENTER
[7254]: _nss_mysql_load_config: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_build_query: ENTER
[7254]: _nss_mysql_build_query: BYNAME, name = 'test'
[7254]: _nss_mysql_escape_string: ENTER
[7254]: _nss_mysql_connect_sql: ENTER
[7254]: _nss_mysql_check_existing_connection: ENTER
[7254]: _nss_mysql_validate_socket: ENTER
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_validate_socket: EXIT (TRUE)
[7254]: _nss_mysql_check_existing_connection: EXIT (TRUE)
[7254]: _nss_mysql_connect_sql: Using existing connection
[7254]: _nss_mysql_connect_sql: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_escape_string: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_reset_ent: ENTER
[7254]: _nss_mysql_close_result: ENTER
[7254]: _nss_mysql_close_result: EXIT
[7254]: _nss_mysql_reset_ent: EXIT
[7254]: _nss_mysql_build_query: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_run_query: ENTER
[7254]: _nss_mysql_run_query: Executing query: SELECT UserName,'x',UID,GID,Gecos,HomeDir,Shell FROM radius.usergroup WHERE UserName='test' LIMIT 1
[7254]: _nss_mysql_connect_sql: ENTER
[7254]: _nss_mysql_check_existing_connection: ENTER
[7254]: _nss_mysql_validate_socket: ENTER
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_validate_socket: EXIT (TRUE)
[7254]: _nss_mysql_check_existing_connection: EXIT (TRUE)
[7254]: _nss_mysql_connect_sql: Using existing connection
[7254]: _nss_mysql_connect_sql: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_run_query: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_passwd: ENTER
[7254]: _nss_mysql_fetch_row: ENTER
[7254]: _nss_mysql_fetch_row: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_passwd: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_close_result: ENTER
[7254]: _nss_mysql_close_result, calling mysql_free_result()
[7254]: _nss_mysql_close_result: EXIT
[7254]: _nss_mysql_lookup: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_getpwnam_r: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_getpwnam_r: ENTER
[7254]: _nss_mysql_lookup: ENTER
[7254]: _nss_mysql_lookup: restricted = 0, cur_euid = 0
[7254]: _nss_mysql_init: ENTER
[7254]: _nss_mysql_load_config: ENTER
[7254]: _nss_mysql_load_config: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_init: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_config: ENTER
[7254]: _nss_mysql_load_config: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_build_query: ENTER
[7254]: _nss_mysql_build_query: BYNAME, name = 'test'
[7254]: _nss_mysql_escape_string: ENTER
[7254]: _nss_mysql_connect_sql: ENTER
[7254]: _nss_mysql_check_existing_connection: ENTER
[7254]: _nss_mysql_validate_socket: ENTER
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_validate_socket: EXIT (TRUE)
[7254]: _nss_mysql_check_existing_connection: EXIT (TRUE)
[7254]: _nss_mysql_connect_sql: Using existing connection
[7254]: _nss_mysql_connect_sql: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_escape_string: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_reset_ent: ENTER
[7254]: _nss_mysql_close_result: ENTER
[7254]: _nss_mysql_close_result: EXIT
[7254]: _nss_mysql_reset_ent: EXIT
[7254]: _nss_mysql_build_query: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_run_query: ENTER
[7254]: _nss_mysql_run_query: Executing query: SELECT UserName,'x',UID,GID,Gecos,HomeDir,Shell FROM radius.usergroup WHERE UserName='test' LIMIT 1
[7254]: _nss_mysql_connect_sql: ENTER
[7254]: _nss_mysql_check_existing_connection: ENTER
[7254]: _nss_mysql_validate_socket: ENTER
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_is_same_sockaddr: ENTER
[7254]: _nss_mysql_is_same_sockaddr: EXIT (TRUE)
[7254]: _nss_mysql_validate_socket: EXIT (TRUE)
[7254]: _nss_mysql_check_existing_connection: EXIT (TRUE)
[7254]: _nss_mysql_connect_sql: Using existing connection
[7254]: _nss_mysql_connect_sql: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_run_query: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_passwd: ENTER
[7254]: _nss_mysql_fetch_row: ENTER
[7254]: _nss_mysql_fetch_row: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_load_passwd: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_close_result: ENTER
[7254]: _nss_mysql_close_result, calling mysql_free_result()
[7254]: _nss_mysql_close_result: EXIT
[7254]: _nss_mysql_lookup: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_getpwnam_r: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_atexit_handler: ENTER
[7254]: _nss_mysql_close_sql: ENTER
[7254]: _nss_mysql_close_result: ENTER
[7254]: _nss_mysql_close_result: EXIT
[7254]: _nss_mysql_close_sql: calling mysql_close()
[7254]: _nss_mysql_close_sql: EXIT (NSS_SUCCESS)
[7254]: _nss_mysql_safe_memset: ENTER
[7254]: _nss_mysql_safe_memset: EXIT (0xbe2ae4)
[7254]: _nss_mysql_atexit_handler: EXIT
Sorry for the late reply - I've been on vacation.
I wonder if FC4's PAM configuration is at fault? What does your /etc/pam.d/su look like?
Here is my /etc/pam.d/su
#%PAM-1.0
auth sufficient /lib/security/pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient /lib/security/pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required /lib/security/pam_wheel.so use_uid
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_xauth.so
It is precisely the same as for my Redhat 7.3 machine that works well with it.
As I mentioned, When I do a tcpdump on it i get the following.
[3 way handshake]
MySQLServ -> client : Greeting protocol
client -> MySQLServ : Login request
MySQLServ -> client : Responce OK
client -> MySQLServ : Request Command 86
MySQLServ -> client : Responce OK
client -> MySQLServ : Request Command Query (as specified in the config file)
MySQLServ -> client : Responce OK with answers to query
client -> MySQLServ : Request Command Query (as specified in the config file)
MySQLServ -> client : Responce OK with answers to query
client -> MySQLServ : Request Command Query (as specified in the config file)
MySQLServ -> client : Responce OK with answers to query
client -> MySQLServ : Request Command Quit
[ 3 way fin shake ]
What is also strange is that for each of the MySQL requests packets from the client it also send a duplicate packet (not shown above).
That debug log doesn't show any shadow lookup attempts (is /etc/nsswitch.conf really OK?)
What does "getent shadow test" (as root) show?
Hi Ben
I have to admit that I did not outline my full implementation since I did not think the other part of it will affect this issue, since I have it working on RH7.3 in the same way I tried to make it work on Fedora 4.
Authentication is handeld by pam_radius_auth.so. I only refer to this in the pam.d/sshd file since thats the only place where I need it. Thus "getent shadow test" does not kick up anything. When I su on the RH7.3 box from root to a mysql configured user it usualy just puts me there without asking about passwords, and if I go from mysql user to root it will find the root in the shadow file. I dont allow su from one mysql user to another, thus I dont have need to let shadow know where to get passwords for them.
If we have a look at /etc/pam.d/sshd file, I have the following.
#%PAM-1.0
auth sufficient pam_radius_auth.so debug
auth required pam_stack.so service=system-auth
account required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session sufficient pam_radius_auth.so
session required pam_stack.so service=system-auth
session required pam_loginuid.so
When I try and SSH into the Fedora box I get the following in /var/log/secure...
Nov 10 12:38:45 server01 sshd[13319]: pam_radius_auth: Got user name test
Nov 10 12:38:45 server01 sshd[13319]: pam_radius_auth: Sending RADIUS request code 1
Nov 10 12:38:45 server01 sshd[13319]: pam_radius_auth: DEBUG: getservbyname(radius, udp) returned 4321792.
Nov 10 12:38:45 server01 sshd[13319]: pam_radius_auth: Got RADIUS response code 2
Nov 10 12:38:45 server01 sshd[13319]: pam_radius_auth: authentication succeeded
Nov 10 12:38:45 server01 sshd[13319]: Failed password for test from 10.2.2.2 port 42601 ssh2
As you can see authentication succeedes on radius.
Could this be more a pam problem, where pam works a bit differently on Fedora to Redhat? Maybe pam is trying to force authentication with the shadow file?
Thanks for the help so far.
Christiaan Ehlers
I've never been good at understanding PAM configs (haven't spent the time on it) but it seems:
auth sufficient pam_radius_auth.so debug
auth required pam_stack.so service=system-auth
MAY be at fault (even though it works on 7.3). I'm not sure about having the first line 'sufficient' and the second line 'required' will do the trick. I think the meanings may have changed.
PAM *definitely* changed between 7.3 and FC4. What would be nice is a commandline tool that directly tests PAM (there's GOT to be such a thing by now ...) Have you had any luck with this? It's been a while since I replied (sorry!)