No login at console when root disabled?

[chemlud]

Hi again!

Have here a 16.1.15 i386 full on a notebook, root is disabled, another user is admin on this machine. :-)

Works fine, except that I cannot log in to the console on the notebook monitor when password is activated for log-in. Credentials for the admin user gives me in the console:

"This user is currently not available."

Does not matter if the user is logged in via https or not...

Bug or feature? ;-)

[fabian]

The user needs the shell permission.

[chemlud]

Hi Fabian!

Thanks, that helps a lot! :-D

But when I log in, I get the shell prompt, not the usual 1-9 "shutdown", "reboot", restart Webinterface" menu. Any way to com to this menu in the console?

regards

chemlud

[phoenix]

Is this user a member of the Admin group?

[chemlud]

Yepp, it's the admin, in group admin.

[weust]

That behaviour is still normal, sadly.

[franco]

Ad picked this up in a ticket, I've added a longer comment on how to achieve the essence of what is requested without making the system less secure.

Points:

1) we should not clone root accounts as this has no security benefit

2) the non-root users don't work reliably with the root shell as privilege separation is not good enough

3) sudo


[1] https://github.com/opnsense/core/issues/990

[weust]

But does sudo give you the menu where you can select something like upgrade or assigning interfaces, etc?

[franco]

Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su

[chemlud]

Hy!

OK, will try! Is there a console in the GUI? Or run from serial console?

[weust]

Once /usr/local/etc/sudoers is correctly set up (there is no GUI for this...yet), you can do:

# sudo su

Oh, ok. I get what you mean now.
Next I would need LDAP integration as I don't have local accounts except the root account.
A least, last time I tried it didn't work. domain\username or simply username doesn't seem to work like in the webpage.

[franco]

Something like this would probably be needed for real LDAP-backed accounts:

http://www.padl.com/OSS/pam_ldap.html

[weust]

If it's possible to create a package for that, then it will really help me.

At work I can log in with my Windows Domain account on SLES servers.
No doubt the same software or something similar.
Works great.

[franco]

It's there under security/pam_ldap, I can add it to the packages for 16.1.17.

[weust]

Cool! Will test it then.