Discussion:
[Ltsp-discuss] password not accepted when sudo'ing within fat client
Tim
2016-05-16 12:48:27 UTC
Permalink
I installed LTSP on top of Ubuntu Server 14.04. I have just about everything working, except I cannot sudo within the client. My user (mythltsp) is added to the server and is part of the sudo group on the server.

Commands executed on the LTSP server:
cat /etc/passwd | grep mythltsp
mythltsp:x:1001:1001::/home/mythltsp
cat /etc/group | grep mythltsp
sudo:x:27:mythltsp
mythtv:x:122:mythltsp
mythltsp:x:1001:


When opening up a terminal on the client and trying to sudo, it prompts me for my password, but it never accepts my password. I know the password is correct, because I use it to auto-log into the client at boot. I also edited the sudoers file so that it shouldn't even prompt for a password, but that doesn't seem to work either, it still prompts me for a password and yet doesn't proceed even with the correct password, it just keeps saying the password is incorrect.

/opt/ltsp/amd64/etc/sudoers file has both of these which I would suspect should work:
mythltsp ALL=(ALL) NOPASSWD: ALL
%sudo ALL=(ALL:ALL) ALL

The image was rebuild and contains this config.


auth log has the following when attempting to type in my password during a sudo command:

May 16 08:36:52 ltsp17 sudo: pam_unix(sudo:auth): conversation failed
May 16 08:36:52 ltsp17 sudo: pam_unix(sudo:auth): auth could not identify password for [mythltsp]
May 16 08:36:55 ltsp17 sudo: pam_unix(sudo:auth): authentication failure; logname=mythltsp uid=1001 euid=0 tty=/dev/pts/1 ruser=mythltsp rhost= user=mythltsp


I'm running mythfrontend on my clients and I cannot reboot or shutdown from mythfrontend, I believe the issues may be tied together because when I attempt to reboot or shutdown the client from mythfrontend, I get this same thing in the auth log:

May 16 08:46:14 ltsp17 sudo: pam_unix(sudo:auth): conversation failed
May 16 08:46:14 ltsp17 sudo: pam_unix(sudo:auth): auth could not identify password for [mythltsp]

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
Vagrant Cascadian
2016-05-16 14:46:02 UTC
Permalink
Post by Tim
I installed LTSP on top of Ubuntu Server 14.04. I have just about
everything working, except I cannot sudo within the client. My user
(mythltsp) is added to the server and is part of the sudo group on the
server.
Up until fairly recently, the LTSP clients had no way of authenticating
using passphrase credentials. LTSP Thin clients merely logged into the
server, and LTSP Fat clients (and/or localapps) did some hacks to
configure the user and group information on the client, but stored no
authentication credentials.

If the the client is running LDM 2.2.14 or later, you should be able to
set LDM_PASSWORD_HASH=True in lts.conf, which stores a hash of the
passphrase used to log in and should allow pam to complete.

If you need a newer version of LDM and/or LTSP, There is a PPA that
includes newer versions of LTSP and related software:

https://launchpad.net/~ts.sch.gr/+archive/ubuntu/ppa


live well,
vagrant
Mahmoud Ramadan
2016-05-16 15:17:07 UTC
Permalink
The root account on the fat client should be in the fat client image not
the server , chroot into the fat client and then use the passwd command to
reset the root password to the one you choose then rebuild the image again,
restart your fat client to download the new image with the new password and
you are done.

Best Regards,

Mahmoud Ramadan Ali

Network and VOIP Specialist.

Mobil: (+2) 01276877112

Blog <http://hotciscolabs.blogspot.com/>| Website
<http://telecomandsecurity.com/>| LinkedIn
<http://ch.linkedin.com/pub/mahmoud-ali/99/923/421/en>
Post by Vagrant Cascadian
Post by Tim
I installed LTSP on top of Ubuntu Server 14.04. I have just about
everything working, except I cannot sudo within the client. My user
(mythltsp) is added to the server and is part of the sudo group on the
server.
Up until fairly recently, the LTSP clients had no way of authenticating
using passphrase credentials. LTSP Thin clients merely logged into the
server, and LTSP Fat clients (and/or localapps) did some hacks to
configure the user and group information on the client, but stored no
authentication credentials.
If the the client is running LDM 2.2.14 or later, you should be able to
set LDM_PASSWORD_HASH=True in lts.conf, which stores a hash of the
passphrase used to log in and should allow pam to complete.
If you need a newer version of LDM and/or LTSP, There is a PPA that
https://launchpad.net/~ts.sch.gr/+archive/ubuntu/ppa
live well,
vagrant
------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_____________________________________________________________________
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
Tim K
2016-05-17 01:30:05 UTC
Permalink
Post by Vagrant Cascadian
Up until fairly recently, the LTSP clients had no way of authenticating
using passphrase credentials. LTSP Thin clients merely logged into the
server, and LTSP Fat clients (and/or localapps) did some hacks to
configure the user and group information on the client, but stored no
authentication credentials.
If the the client is running LDM 2.2.14 or later, you should be able to
set LDM_PASSWORD_HASH=True in lts.conf, which stores a hash of the
passphrase used to log in and should allow pam to complete.
If you need a newer version of LDM and/or LTSP, There is a PPA that
https://launchpad.net/~ts.sch.gr/+archive/ubuntu/ppa
live well,
vagrant
Thanks for the info, my issue was a combination of a few things.

1. I needed LDM_PASSWORD_HASH=True
2. In the /etc/sudoers file, I needed to move my user all the way to the
bottom; this is why it was still prompting me for my password even
though I set it to NOPASSWD; the bottom most entry that a user matches
is the one that is used.
3. I had installed that ppa on the server, but it was after I already
built my chroot, so my img had the old version in it for LDM. So I
added that ppa within the chroot as well as the server and updated it
and then it worked.

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
Loading...