What am I doing wrong?
Alexey Toptygin
alexeyt at freeshell.org
Sat Nov 27 03:45:29 UTC 2004
I've got sshd successfully authenticating via pam_krb5. my /etc/pam.d/ssh
reads:
auth required pam_nologin.so
auth required pam_env.so
auth sufficient pam_unix.so
auth required pam_krb5.so use_first_pass
account required pam_unix.so
session required pam_unix.so
session optional pam_motd.so
session optional pam_mail.so standard noenv
session required pam_limits.so
Now, I'm trying to do the same with apache2. I've got the following in
/etc/pam.d/apache2:
auth sufficient pam_unix.so
auth required pam_krb5.so debug use_first_pass
account required pam_unix.so
Which should behave identically, right? I can see the error from the
sufficient pam_unix pop up in auth.log, I can see the debug output from
pam_krb5 say:
apache2: pam_krb5: pam_sm_authenticate(apache2 alexey): entry:
apache2: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): No such file or directory
apache2: pam_krb5: pam_sm_authenticate(apache2 alexey): exit: success
And then apache returns 401 (Auth Required) and logs:
[error] [client 127.0.0.1] PAM: user 'alexey' - invalid account:
Authentication service cannot retrieve authentication info.
I've also tried omitting the initial auth pam_unix, but the only
difference is that the failure message from pam_unix is not printed;
otherwise the behavior is identical.
WTF? Is there some additional logging I can turn on? How can I even figure
out if this is a PAM or an apache problem?
Alexey
More information about the Pam-list
mailing list