PAM/Kerberos requiring local accounts

Jeff Mitchell jam6 at cec.wustl.edu
Sun May 2 09:57:07 UTC 2004


Folks--

I'm trying to use PAM authentication (with Kerberos) and am running into troubles.

I'm setting up eGroupWare (PHP, using pam_auth as shown below) to use PAM authentication.  I've set up the necessary httpd/php files in /etc/pam.d with the following:

#%PAM-1.0
auth        required    /lib/security/pam_krb5.so
account     required    /lib/security/pam_krb5.so

(output of my /etc/krb5.conf file at the bottom)

However, when the user attempts to log in with eGW, they will only authenticate correctly if an account of the same name exists on the local machine that eGW is on.  Even though the password that is required for them to log in is the correct one (i.e. if the password on the local machine and the Kerberos server are different, the Kerberos one is the one that is accepted, which is correct behavior), I can't get them to log in unless there is an account on the local machine.  I've tried this several times now -- a person cannot log in, so I do an adduser using the same username but a different password, and suddenly they can log in just fine (with the password the Kerberos server is expecting).  This seems like a PAM issue, not eGW, so I'm posting it here in the hopes that someone will know why this is the case.  We're going to be having over 1500 users authenticating against this installation of eGW (if all goes well) so obviously creating local accounts for all of them is not a great idea.

Thanks, everyone!


My stats:

uname -a:
Linux helllp.int.valid.domain.name 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST 2002 i686 GNU/Linux


pam_auth 0.4 from http://www.math.ohio-state.edu/~ccunning/pam_auth/


mysql -V
/usr/bin/mysql Ver 12.22 Distrib 4.0.18, for pc-linux-gnu (i686)


apache -v
Server version: Apache/1.3.29 (Debian GNU/Linux)
Server built: Mar 10 2004 19:07:32


eGroupWare version 0.9.99.015


php -v:
PHP 4.3.4 (cli) (built: Mar 27 2004 08:04:22)
Copyright (c) 1997-2003 The PHP Group
Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend
Technologies


I *believe* I'm using krb5 1.3.3 and libpam 0.76-19, with libpam-krb5 1.0-8


contents of /etc/krb5.conf:
[libdefaults]
        default_realm = VALID.DOMAIN.NAME
# The following krb5.conf variables are only for MIT Kerberos.
        krb4_config = /etc/krb.conf
        krb4_realms = /etc/krb.realms
        kdc_timesync = 1
        ccache_type = 4
        forwardable = true
        proxiable = true
# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code 
# are correct and overriding these specifications only serves to disable
# new encryption types as they are added, creating interoperability problems.
#       default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#       default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5
#permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5

[realms]
VALID.DOMAIN.NAME = {
         kdc = kdc1.valid.domain.name:88
         kdc = kdc2.valid.domain.name:88
         admin_server = kdc1.valid.domain.name
         kpasswd_server = kdc1.valid.domain.name

}

[domain_realm]

[login]
        krb4_convert = true
        krb4_get_tickets = true

[pam]
        debug = false
        ticket_lifetime = 36000
        renew_lifetime = 36000
        forwardable = true
        krb4_convert = false

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20040502/b79dfbe6/attachment.htm>


More information about the Pam-list mailing list