OPNsense Forum
Archive => 16.1 Legacy Series => Topic started by: chemlud on June 03, 2016, 10:38:57 am
-
Hi again!
Have here a 16.1.15 i386 full on a notebook, root is disabled, another user is admin on this machine. :-)
Works fine, except that I cannot log in to the console on the notebook monitor when password is activated for log-in. Credentials for the admin user gives me in the console:
"This user is currently not available."
Does not matter if the user is logged in via https or not...
Bug or feature? ;-)
-
The user needs the shell permission.
-
Hi Fabian!
Thanks, that helps a lot! :-D
But when I log in, I get the shell prompt, not the usual 1-9 "shutdown", "reboot", restart Webinterface" menu. Any way to com to this menu in the console?
regards
chemlud
-
Is this user a member of the Admin group?
-
Yepp, it's the admin, in group admin.
-
That behaviour is still normal, sadly.
-
Ad picked this up in a ticket, I've added a longer comment on how to achieve the essence of what is requested without making the system less secure.
Points:
1) we should not clone root accounts as this has no security benefit
2) the non-root users don't work reliably with the root shell as privilege separation is not good enough
3) sudo ;)
[1] https://github.com/opnsense/core/issues/990
-
But does sudo give you the menu where you can select something like upgrade or assigning interfaces, etc?
-
Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:
# sudo su
-
Hy!
OK, will try! Is there a console in the GUI? Or run from serial console?
-
Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:
# sudo su
Oh, ok. I get what you mean now.
Next I would need LDAP integration as I don't have local accounts except the root account.
A least, last time I tried it didn't work. domain\username or simply username doesn't seem to work like in the webpage.
-
Something like this would probably be needed for real LDAP-backed accounts:
http://www.padl.com/OSS/pam_ldap.html
-
If it's possible to create a package for that, then it will really help me.
At work I can log in with my Windows Domain account on SLES servers.
No doubt the same software or something similar.
Works great.
-
It's there under security/pam_ldap, I can add it to the packages for 16.1.17.
-
Cool! Will test it then.
-
Snapshot package available :)
# pkg add https://pkg.opnsense.org/snapshots/pam_ldap-1.8.6_3.txz
-
Awesome! Will try it out tonight.
Thanks a lot.
-
Got the package installed, but finding a useful how to or documentation (that isn't 10+ years old) is damn hard.
After installing it tells you to copy a .dist file to a different name, edit is and create a file to which you add one line.
That's it. No clue on whether that is enough or how to login.
I tried it all. Just the username (as I use on the webconf), domain\username, username@domain.org.
And the usual plain password in a text file. Unbelievable...
-
Hi!
Loging in the serial console as a non-root admin user and then doing
su
and your password gives the 0-13 menu options for reboot etc :-D