Issues with uid when using PAM and local /etc/passwd

Question

We currently have some local users with the uid 5001-5010 and some users with the range 1001-1010.

The issue we are seeing is when a user in the 5000 range tries to authenticate it would appear it keeps trying to use the same uid=1001 regardless of who is trying to authenticate. If I change the uid of one user in the 5001 to 1001, authentication works.

I can't quite tell where in the configuration this could be causing the issue.

pam file

auth     required  pam_nologin.so
auth     required  pam_securetty.so
auth     required  pam_env.so
auth     include   system-auth  service=system-auth
account  include   system-auth  service=system-auth
session  include   system-auth  service=system-auth

Auth error

Mar  1 14:52:08 dev-host apphttpd: pam_unix(pamwebapp:auth): authentication failure; logname= uid=1001 euid=1001 tty= ruser= rhost=  user=user1

As previously mentioned. If I change a user to match uid=1001 then they can authenticate. Any guidance would be greatly appreciated.

Thanks

What is trying to do the authentication? `pamwebapp`? What is that? — Michael Hampton, Mar 01 '19 at 15:18

score 0 · Answer 1 · answered Mar 01 '19 at 16:09

you said PAM file. There are many PAM files, PAM can be a little cryptic but basically for a given service like SSH for example, there is /etc/pam.d/sshd. Its contents will be something like

auth        requisite   pam_nologin.so
auth        include     common-auth
account     requisite   pam_nologin.so
account     include     common-account
password    include     common-password
session     required    pam_loginuid.so
session     include     common-session
session     optional    pam_lastlog.so   silent noupdate showfailed

without given a PAM tutorial, basic thing to understand is the include on 2nd column, that references or includes that /etc/pam.d/<filename>.

You need to understand what files are under /etc/pam.d/. you posted what looks like /etc/pam.d/login. My pamd/login is

auth     requisite      pam_nologin.so
auth     [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  required       pam_loginuid.so
session  include        common-session
session  optional       pam_lastlog.so  nowtmp
session  optional       pam_mail.so standard
session  optional       pam_ck_connector.so

Should becomes quickly obvious PAM files will tree down to a handful of core INCLUDE files. Find those. Also realize something like /etc/pam'd/sshd is only relevant with logging in via SSH, not at the keyboard connect to the system which would be handled by /etc/pam.d/login. So you need to identify whatever process or service is happening which is trying to do the authenticating which then relies on that specific PAM file. As far as i'm aware PAM does not do UID remapping, if that's what's happening it's happening above/before/outside of PAM.

default PAM files can vary greatly between linux distributions (redhat, sles, ubuntu, debian, mint, and so on).

Thanks ron, I think you’re right. I think the question I’m asking is wrong. The problem appears to be why the application I’m trying to authenticate against only accepts the uid=1001 regardless of who is trying to login. If you have any ideas why this would be the case or where I should be narrowing down that would be great — Sinergi, Mar 02 '19 at 16:22

Issues with uid when using PAM and local /etc/passwd

1 Answers1