PAM/Kerberos requiring local accounts

Van Emery (Mei Feng) emeryvl at iis.sinica.edu.tw
Wed May 5 06:04:52 UTC 2004



>I've tried dropping the account required line on both the php and httpd
>files in /etc/pam.d, but that doesn't help.  I've also tried changing
>common-auth so that the first line is
>auth    sufficient      pam_krb5.so
>but this doesn't work either.  I don't need any login
>information...(Mail
>authentication works, for instance, even though it doesn't return login
>information, but I'm not sure how secure it is)...I *just* need to know
>if
>the username and password are valid on the domain specified in my
>krb5.conf file.
>
>Any other ideas?
>
>Thanks,
>Jeff



Jeff,  

I found the same thing using mod_auth_pam with TLS on Apache 2.  We are
running Kerberos authentication in our lab.

We use NIS for global UID/GID/userinfo, and Kerb for auth.  If you
comment out the "account" line in /etc/pam.d/httpd, then authentication
fails:

#%PAM-1.0

auth        required    /lib/security/$ISA/pam_env.so
auth        sufficient  /lib/security/$ISA/pam_krb5.so minimum_uid=5000
auth        required    /lib/security/$ISA/pam_deny.so

#account     required    /lib/security/$ISA/pam_krb5.so

If I re-enable it, authentication for Kerberos users works.  The next
test I tried was with stopping the NIS servers (ypserv) on my KDCs. 
This also caused an authentication failure with mod_auth_pam.

My guess is that mod_auth_pam or PAM itself needs to lookup some
information like UID, GID, or username through the nsswitch library.

We get around this issue in the lab by adding a user in both NIS and
Kerberos.  NIS handles global UID/GID/username stuff, and Kerb handles
authentication.  You can put the NIS servers on the KDCs or somewhere
else.

If you decide to try this out, I have some documentation on the setup.

Hope this helps,

Van





-- 

===================================

       Van Emery (Mei Feng)

       Academia Sinica IIS
       Room 402
       Tel: 2788-3799 x1457

     emeryvl <at> iis.sinica.edu.tw

===================================







More information about the Pam-list mailing list