[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

RE: Success/Fail bug when calling modules more than once?



Thanks for your response Andrew.

I'm not sure actually!  How should I go about checking this?  As mentioned,
the first pam config file below does succeed, so I think auth is the right
thing to be using.

John

-----Original Message-----
From: Andrew Morgan 

Are you sure that it is the 'auth' sequence that is causing the failure 
or the 'setcred' sequence?

Cheers

Andrew

Cole, John wrote:
> I'm trying to implement login authentication via multiple KRB5 realms for
an
> application.  Currently using RedHat 7.2 with pam-0.75-19.rpm  [Let me
know
> what other version info might be needed!]
> 
> I'm observing some very strange behavior when using the same module more
> than once.   Although the module seems to succeed (per debug messages),
PAM
> seems to return failure to the applications.
> 
> The following PAM file is used with success (which verifies I'm talking to
> the krb server a-ok)
> #%PAM-1.0
> auth        required      /lib/security/pam_env.so debug
> auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
> auth        required   /lib/security/pam_deny.so debug
> 
> What I'd like to do is something like:
> #%PAM-1.0
> auth        required      /lib/security/pam_env.so debug
> auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
> auth        sufficient /lib/security/pam_krb5.so debug realm=B.COMPANY.COM
> auth        required   /lib/security/pam_deny.so debug
> 
> but it fails every time.
> 
> I've tried two different things, in an effort to debug WHY this happens.
My
> first thought is that it'd be bad to authenticate again after getting a
> success.  So I changed things to:
> 
> #%PAM-1.0
> auth        required      /lib/security/pam_env.so debug
> auth        [success=2 default=ok] /lib/security/pam_krb5.so debug
> realm=A.COMPANY.COM
> auth        [success=1 default=ok] /lib/security/pam_krb5.so debug
> realm=B.COMPANY.COM
> auth        required   /lib/security/pam_deny.so debug
> 
> but that doesn't seem to work as the documentation I've seen indicates;
i.e.
> that we'd skip over B realm if A realm passed.  I think my ultimate
solution
> should be something like this, but I'm not sure where I went wrong.
> 
> So, in an effort to divide and conquer my problem, I changed to a case
that
> I expected to succeed.  Making two requests to the realm that can
> authenticate the user.  Debug results from the krb module reports success
> both times, but PAM still returns failure!!!
> #%PAM-1.0
> auth        required      /lib/security/pam_env.so debug
> auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
> auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
> auth        required   /lib/security/pam_deny.so debug
> 
> I'm not sure if I've stumbled across 1-2 bugs, or if I'm way off base.
Any
> help would be appreciated!
> 
> John





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []