PAM/Kerberos requiring local accounts
Jeff Mitchell
jam6 at cec.wustl.edu
Sun May 2 09:57:07 UTC 2004
Folks--
I'm trying to use PAM authentication (with Kerberos) and am running into troubles.
I'm setting up eGroupWare (PHP, using pam_auth as shown below) to use PAM authentication. I've set up the necessary httpd/php files in /etc/pam.d with the following:
#%PAM-1.0
auth required /lib/security/pam_krb5.so
account required /lib/security/pam_krb5.so
(output of my /etc/krb5.conf file at the bottom)
However, when the user attempts to log in with eGW, they will only authenticate correctly if an account of the same name exists on the local machine that eGW is on. Even though the password that is required for them to log in is the correct one (i.e. if the password on the local machine and the Kerberos server are different, the Kerberos one is the one that is accepted, which is correct behavior), I can't get them to log in unless there is an account on the local machine. I've tried this several times now -- a person cannot log in, so I do an adduser using the same username but a different password, and suddenly they can log in just fine (with the password the Kerberos server is expecting). This seems like a PAM issue, not eGW, so I'm posting it here in the hopes that someone will know why this is the case. We're going to be having over 1500 users authenticating against this installation of eGW (if all goes well) so obviously creating local accounts for all of them is not a great idea.
Thanks, everyone!
My stats:
uname -a:
Linux helllp.int.valid.domain.name 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux
pam_auth 0.4 from http://www.math.ohio-state.edu/~ccunning/pam_auth/
mysql -V
/usr/bin/mysql Ver 12.22 Distrib 4.0.18, for pc-linux-gnu (i686)
apache -v
Server version: Apache/1.3.29 (Debian GNU/Linux)
Server built: Mar 10 2004 19:07:32
eGroupWare version 0.9.99.015
php -v:
PHP 4.3.4 (cli) (built: Mar 27 2004 08:04:22)
Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend
Technologies
I *believe* I'm using krb5 1.3.3 and libpam 0.76-19, with libpam-krb5 1.0-8
contents of /etc/krb5.conf:
[libdefaults]
default_realm = VALID.DOMAIN.NAME
# The following krb5.conf variables are only for MIT Kerberos.
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented. In general, the defaults in the MIT Kerberos code
# are correct and overriding these specifications only serves to disable
# new encryption types as they are added, creating interoperability problems.
# default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
# default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
[realms]
VALID.DOMAIN.NAME = {
kdc = kdc1.valid.domain.name:88
kdc = kdc2.valid.domain.name:88
admin_server = kdc1.valid.domain.name
kpasswd_server = kdc1.valid.domain.name
}
[domain_realm]
[login]
krb4_convert = true
krb4_get_tickets = true
[pam]
debug = false
ticket_lifetime = 36000
renew_lifetime = 36000
forwardable = true
krb4_convert = false
[appdefaults]
kinit = {
renewable = true
forwardable= true
}
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20040502/b79dfbe6/attachment.htm>
More information about the Pam-list
mailing list