For some reason, some of my servers have been having trouble with AD authentication. The symptoms were: when logging into the console using an AD enabled account (i.e. an account that should be authenticated by AD), despite providing the correct password the system will return password incorrect. Upon providing the username again, the user is immediately granted access without having to provide a password.
I’m not sure about the provide-once-denied-provide-name-authorized behavior, but after some testing I discovered that the reason that it’s not letting the user in the first time is because the lines for pam_unix and pam_kerberos (pam_krb5 to be exact) in /etc/pam.d/system-auth are reversed. It should have pam_unix before pam_kerberos. I have no clue what is causing these lines to be reversed in the configuration file. I’m configuring all of the authentication and security measures using the esxcfg-... commands so it seems weird that starting with the blade servers this behavior has been exhibited.
Anyway, the fix files: one bash, one awk…
#!/bin/bash # # cfg-adlogin-fix.sh - written by Andrew Sullivan 2009-01-05 # # Report bugs and request improvements at http://get-admin.com/blog/?p=337 # # This script and it's accompanying awk script simply reverse the two lines # in /etc/pam.d/system-auth that control the order of pam_uinx and pam_kerberos # authentication modules. # # Examples: # Apply the fix... # ./cfg-adlogin-fix.sh # echo "Creating backup of /etc/pam.d/system-auth" cp /etc/pam.d/system-auth /etc/pam.d/system-auth.pre_ad_fix echo "Applying fix (reversing pam_unix and pam_kerberos lines)" ./ad_login_fix.awk /etc/pam.d/system-auth.pre_ad_fix > /etc/pam.d/system-auth echo "Fix applied..." echo diff /etc/pam.d/system-auth /etc/pam.d/system-auth.pre_ad_fix
#!/bin/awk -f # # ad_login_fix.awk # # This file should be saved to the above file name in the same directory as # cfg-adlogin-fix.sh # # The functionality is quite simple...store each line in an array, look at it, # check to see if certain fields match what we want, if so, store the position. # At the end, if the lines are reverse, swap them, then print each line in # the file in the new order. # BEGIN{} { file[i++] = $0 if (( $1 == "auth" ) && ($2 == "sufficient")) { if ($3 ~ /pam_krb5/) { krb5_pos = i - 1 } else if ($3 ~ /pam_unix/) { unix_pos = i - 1 } } } END { if (krb5_pos < unix_pos) { temp1 = file[krb5_pos] temp2 = file[unix_pos] file[krb5_pos] = temp2 file[unix_pos] = temp1 } for (x = 0; x < i; x++) { print file[x] } }
I almost forgot how much fun awk can be (no, really…).
Post a Comment