× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

Centrify DS improper PAM registration bug

Showing results for 
Search instead for 
Do you mean 
Reply
Participant II
Posts: 4
Registered: ‎07-12-2011
#1 of 5 6,397

Centrify DS improper PAM registration bug

Hi,

I installed CentrifyDS on my Ubuntu 11.04 box yesterday, joined my domain and found that I can no longer login to my Gnome desktop.

After loggin in through recovery console, I found out the problem: the eCryptfs PAM module which is resposible for mounting my encrypted home directory was not called due to improperly set CentrifyDS PAM rules.

 

The rules in common-auth looks like

# lines inserted by Centrify Direct Control (CentrifyDC 4.4.3-424)
auth       sufficient     pam_centrifydc.so
auth       requisite      pam_centrifydc.so deny

The "control" for these two rules (sufficient and requisite) will terminate the PAM stack search whenever a domain user login succeeds or fails. Since these are inserted at the top of the files, it means if a domain user is loggin in, ALL other PAM modules (like the eCryptfs mount, Gnome keyring, and other stuff) will be skipped.

 

This basically prevents all applications that uses PAM to capture the identity of the current user to fail on domain users. It is especially problematic if a user previously had a local user account and setup services like encrypted home folder or Gnome keyring, then connects its account a domain user (or happend to have the same user name).

 

Thus, these two rules should be changed to bypass other authentication, but allow non-authentication modules in the PAM service configuration to run.

 

Also, in recent versions of PAM, these common-* files are maintained by the pam-update-auth command and changes to them may be lost if some software package calls pam-update-auth to install new PAM modules. 

 

May I suggest you investigate how PAM configurations are maintained in different distros and in ones where the pam-update-auth facility exists, use a PAM profile to deliver your changes instead of editing the files in /etc/pam.d directly.

Retired Employee (Inactive)
Posts: 223
Registered: ‎06-30-2010
#2 of 5 6,390

Re: Centrify DS improper PAM registration bug

Hi Bill,

 

A big thank you for your time analying the PAM configuration.  We appreciate you brought this up to our attention.  I will open a bug with our Engineering for investigation.

 

Again, thanks for the great effort.

 

 

-Daniel

Participant II
Posts: 4
Registered: ‎07-12-2011
#3 of 5 6,334

Re: Centrify DS improper PAM registration bug

FYI, I've written the following profile for my Ubuntu 11.04. It may work with other systems.

 

Name: Centrify DC
Default: yes
Priority: 257
Auth-Type: Primary
Auth:
        [success=end default=ignore]                            pam_centrifydc.so try_first_pass
Account-Type: Primary
Account:
        [success=end new_authtok_reqd=done default=ignore]      pam_centrifydc.so
Session-Type: Additional
Session:
        required                                                pam_centrifydc.so homedir
Password-Type: Primary
Password:
        [success=end new_authtok_reqd=done ignore=ignore default=die]   pam_centrifydc.so try_first_pass
Password-Initial:
        [success=end new_authtok_reqd=done ignore=ignore default=die]   pam_centrifydc.so

 

I am not 100% sure that the configuration is secure though.

Retired Employee (Inactive)
Posts: 223
Registered: ‎06-30-2010
#4 of 5 4,722

Re: Centrify DS improper PAM registration bug

We have written KB for this:

 

KB-2495:  How to configure Centrify DirectControl with pam_eCryptfs

 

Applies to:  All versions of Centrify DirectControl on Ubuntu 11.x

 

Problem:

 

With Centrify DirectControl, AD Authentication fails for optional PAM modules like pam_ecryptfs, pam_gnome_keyring etc. How do you configure Centrify DirectControl with pam_eCryptfs?

 

Cause:

 

PAM was configured to exit on successful authentication with the CentrifyDC module, therefore it never goes ahead to authenticate any of the optional PAM modules.

 

# lines inserted by Centrify Direct Control auth       sufficient     pam_centrifydc.so auth       requisite      pam_centrifydc.so deny

 

Since centrifydc.so was marked as "sufficient", the requesting application receives an immediate message about the success and no further modules are processed.

 

Solution:

 

To support authentication for optional PAM modules (e.g. pam_ecryptfs and pam_gnome_keyring), we need to change the PAM configuration to add the parameter "success=n" as [success=n, default=ignore] before pam_centrifydc.so.  Here, success=n indicates that if the current module succeeded, then skip the next n rules and continue processing the other modules.

 

On Ubuntu, for example:

 

/etc/pam.d/common-auth:

    auth    [success=3 default=ignore] pam_centrifydc.so

    auth    requisite      pam_centrifydc.so deny

    auth    [success=1 default=ignore]  pam_unix.so nullok_secure

    auth    requisite      pam_deny.so

    auth    required       pam_permit.so

    auth    optional       pam_ecryptfs.so unwrap

 

/etc/pam.d/common-password:

    password   [success=3 default=ignore] pam_centrifydc.so

    password   requisite      pam_centrifydc.so deny

    password   [success=1 default=ignore]      pam_unix.so obscure sha512

    password   requisite      pam_deny.so

    password   required      pam_permit.so

    password   optional      pam_gnome_keyring.so

    password   optional      pam_ecryptfs.so

 

In the above example, once authentication with pam_centrifydc.so succeeds, the next "3" rules are skipped, and so pam_permit.so and its subsequent modules are called. So for the AD user, successful authentication will cause PAM to jump to pam_permit.so line and continue.

 

Participant I
Posts: 1
Registered: ‎03-07-2013
#5 of 5 3,716

Re: Centrify DS improper PAM registration bug

Problem in login for local user after installation and configuration of centrifydc on Ubuntu 12.04 Server?

 

Solution:

1. modify the following files (don't touch any other non-commented lines):

    File: common-account  (original)

         account                [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so

         account                requisite                       pam_deny.so

         account                                required                        pam_permit.so

File: common-account  (modified)

       account                [success=3 default=ignore]     pam_centrifydc.so

       account                [success=2 new_authtok_reqd=done default=ignore]        pam_unix.so

       account                requisite      pam_centrifydc.so deny

       account                requisite                       pam_deny.so

       account                required                        pam_permit.so

 

File: common-auth  (original)

        auth                       [success=1 default=ignore]      pam_unix.so nullok_secure

        auth                       requisite                       pam_deny.so

        auth                       required                        pam_permit.so

File: common-account  (modified)

      auth                       [success=3 default=ignore]     pam_centrifydc.so

      auth                       [success=2 default=ignore]      pam_unix.so nullok_secure

      auth                       requisite      pam_centrifydc.so deny

      auth                       requisite                       pam_deny.so

      auth                       required                        pam_permit.so

 

File: common-password  (original)

       password            [success=1 default=ignore]      pam_unix.so obscure sha512

       password            requisite                       pam_deny.so

       password            required                        pam_permit.so

File: common-password (modified)

     password            [success=3 default=ignore]     pam_centrifydc.so try_first_pass

     password            [success=2 default=ignore]      pam_unix.so obscure sha512

     password            requisite      pam_centrifydc.so deny

     password            requisite                       pam_deny.so

     password            required                        pam_permit.so

 

Step 2:

modify /etc/centrifydc/user.ignore file

Simply add the local user name which you want to login locally at the end of the above mentioned file

i.e. add testuser at the end of the file user.ignore

 

Enjoy.................Cat LOL