[rsbac] nsswitch and pam configuration for UM
Palon Setin
palons at danwin1210.me
Thu Dec 13 10:56:00 CET 2018
Amon Ott:
> Am 13.12.18 um 03:46 schrieb Palon Setin:
>> I have no issue compiling and installing. I'm running the latest
>> 4.19.8-rsbac.
>> But I can't find any help with configuring /etc/nsswitch.conf and
>> /etc/pam.d/*.
>> The closest I found is 7 yrs old:
>> https://www.rsbac.org/pipermail/rsbac/2011-January/002565.html
>> The tips in the rsbac-admin package don't help either, they too appear
>> to be old.
> After you imported your existing groups and users into RSBAC UM with
> rsbac_groupadd -O
> rsbac_useradd -O
> and set new passwords, which cannot be imported, with rsbac_passwd,
> you can change the nsswitch lines
>
As per:
https://www.gnu.org/software/libc/
and more exactly --if I'm not mistaken-- since:
https://sourceware.org/ml/libc-alpha/2017-08/msg00010.html
there are no lines:
> passwd: compat
> group: compat
> shadow: compat
to be changed to either of the below:
>
> to
>
> passwd: rsbac
> group: rsbac
> shadow: rsbac
>
> to let RSBAC translate between user names and uids. If you want to use
> both, try
>
> passwd: rsbac compat
> group: rsbac compat
> shadow: rsbac compat
>
That apparently remains to be solved. More below.
Thanks for these:
> In /etc/pam.d/common-auth you can replace
>
> auth [success=1 default=ignore] pam_unix.so nullok_secure
>
> or similar with
I do have :
# cat /etc/pam.d/common-auth | grep ^auth
auth [success=1 default=ignore] pam_unix.so nullok_secure
auth requisite pam_deny.so
auth required pam_permit.so
auth optional pam_cap.so
> ... with
>
> auth required pam_rsbac.so
So that applies!
> to use RSBAC for authentication. common-account, common-password and
> common-session are similar. If you want to fallback to passwd/shadow, try
I do want fallback to the common, buggy current state, the learning
curve is steep :(
>
> auth sufficient pam_rsbac.so
> auth [success=1 default=ignore] pam_unix.so nullok_secure
so I'll probably opt for that in first period, and after I learn, the
full rsbac login only, as per your suggestion further above.
>
> Amon.
>
The nsswitch is a little worry to me though. The change that obsoletes
the "--enable-obsolete-nsl" option has been completely implemented in
Debian testing, let alone Debian unstable, and my system is
testing/unstable.
Unless I'm mistaken, and if I am, I'm sorry upfront. But my nsswitch
looks like:
# head -9 /etc/nsswitch.conf
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files
group: files
shadow: files
I was thinking though... And I will try and change the last 3 lines of
the above to what you suggest:
passwd: rsbac
group: rsbac
shadow: rsbac
and report if that works.
Sincerely,
Palon Setin
More information about the rsbac
mailing list