PAM/Kerberos requiring local accounts
Jeff Mitchell
jam6 at cec.wustl.edu
Wed May 5 08:53:06 UTC 2004
Van--
Thanks for your reply!
We have a different server (a Solaris one) that runs Kerberos and uses
NIS/ypserv for account information...it's possible that we could do that on
this box as well so I may be getting back to you for help on such a setup
(though not anytime especially soon)...thank you for the offer.
I guess though that I'm not really understsanding why it's necessary. For
the setup that I need this for, I'm completely uninterested as to their
account details, UIDs, GIDs, etc. I want to know only one thing: according
to the Kerberos servers, is this a correct username and password
combination? The user isn't doing anything local to the box, so they don't
even need a UID...and indeed, the function that calls the PAM authentication
with the module I'm using (called pam_auth() ) only returns one thing: true
or false.
Kerberos, I keep getting told, is for authentication only...which is exactly
why I want it. How weird then that I can't simply specify in my pam.d that
I *want* authentication and authentication only...
Jeff
----- Original Message -----
From: "Van Emery (Mei Feng)" <emeryvl at iis.sinica.edu.tw>
To: "Pluggable Authentication Modules" <pam-list at redhat.com>
Cc: <jam6 at cec.wustl.edu>
Sent: Wednesday, May 05, 2004 1:04 AM
Subject: Re: PAM/Kerberos requiring local accounts
>
>
>
> Jeff,
>
> I found the same thing using mod_auth_pam with TLS on Apache 2. We are
> running Kerberos authentication in our lab.
>
> We use NIS for global UID/GID/userinfo, and Kerb for auth. If you
> comment out the "account" line in /etc/pam.d/httpd, then authentication
> fails:
>
> #%PAM-1.0
>
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=5000
> auth required /lib/security/$ISA/pam_deny.so
>
> #account required /lib/security/$ISA/pam_krb5.so
>
> If I re-enable it, authentication for Kerberos users works. The next
> test I tried was with stopping the NIS servers (ypserv) on my KDCs.
> This also caused an authentication failure with mod_auth_pam.
>
> My guess is that mod_auth_pam or PAM itself needs to lookup some
> information like UID, GID, or username through the nsswitch library.
>
> We get around this issue in the lab by adding a user in both NIS and
> Kerberos. NIS handles global UID/GID/username stuff, and Kerb handles
> authentication. You can put the NIS servers on the KDCs or somewhere
> else.
>
> If you decide to try this out, I have some documentation on the setup.
>
> Hope this helps,
>
> Van
>
>
>
>
>
> --
>
> ===================================
>
> Van Emery (Mei Feng)
>
> Academia Sinica IIS
> Room 402
> Tel: 2788-3799 x1457
>
> emeryvl <at> iis.sinica.edu.tw
>
> ===================================
>
>
>
More information about the Pam-list
mailing list