PAM/Kerberos requiring local accounts
Van Emery (Mei Feng)
emeryvl at iis.sinica.edu.tw
Wed May 5 06:04:52 UTC 2004
>I've tried dropping the account required line on both the php and httpd
>files in /etc/pam.d, but that doesn't help. I've also tried changing
>common-auth so that the first line is
>auth sufficient pam_krb5.so
>but this doesn't work either. I don't need any login
>information...(Mail
>authentication works, for instance, even though it doesn't return login
>information, but I'm not sure how secure it is)...I *just* need to know
>if
>the username and password are valid on the domain specified in my
>krb5.conf file.
>
>Any other ideas?
>
>Thanks,
>Jeff
Jeff,
I found the same thing using mod_auth_pam with TLS on Apache 2. We are
running Kerberos authentication in our lab.
We use NIS for global UID/GID/userinfo, and Kerb for auth. If you
comment out the "account" line in /etc/pam.d/httpd, then authentication
fails:
#%PAM-1.0
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=5000
auth required /lib/security/$ISA/pam_deny.so
#account required /lib/security/$ISA/pam_krb5.so
If I re-enable it, authentication for Kerberos users works. The next
test I tried was with stopping the NIS servers (ypserv) on my KDCs.
This also caused an authentication failure with mod_auth_pam.
My guess is that mod_auth_pam or PAM itself needs to lookup some
information like UID, GID, or username through the nsswitch library.
We get around this issue in the lab by adding a user in both NIS and
Kerberos. NIS handles global UID/GID/username stuff, and Kerb handles
authentication. You can put the NIS servers on the KDCs or somewhere
else.
If you decide to try this out, I have some documentation on the setup.
Hope this helps,
Van
--
===================================
Van Emery (Mei Feng)
Academia Sinica IIS
Room 402
Tel: 2788-3799 x1457
emeryvl <at> iis.sinica.edu.tw
===================================
More information about the Pam-list
mailing list