PAM modules violating PAM architecture?, e.g. mod_auth_pam
Jed Donnelley
jed at nersc.gov
Sat Oct 9 01:53:54 UTC 2004
At 12:02 AM 10/7/2004, Jason Clifford wrote:
>On Wed, 6 Oct 2004, Jed Donnelley wrote:
>
> > The bottom line is the way mod_auth_pam is coded, getpwnam and
> > getrgnam must function for the users/groups that I want to authenticate
> > from apache with mod_auth_pam. For those functions to work for those
> > users/groups the users/groups must appear as if they are in
> > /etc/passwd and /etc/group - e.g. by use of lib_nss and nss_ldap.
>
>This must be something either introduced in the 2.0 version or the way
>you've implemented it.
>
>I have mod_auth_pam for apache 1.3
I'm also using mod_auth_pam for apache 1.3.
>authenticating users via pam_radius and
>those users don't exist anywhere except on the radius server which is on
>another box.
Are you doing group authentication from groups on the radius server?
What does your /etc/nsswitch.conf file look like?
Have you looked at mod_auth_pam.c? What do you see at lines
418 and 464?
Do $getent group <groupname>
for a group that exists on your radius server and shouldn't exist
locally on the box. Do you see the group?
For some user that's on the radius server but not on the box,
run this little perl script as:
./getpwnam.pl <username>
and see what you get:
#!/usr/bin/perl
# Simple routine to accept a single argument, get its password entry, and
print out the results
($name,$passwd,$uid,$gid,$quota,$comment,$gcos,$dir,$shell) =
getpwnam($ARGV[0]);
print <<_EOT;
name = $name
passwd = $passwd
uid = $uid
gid = $gid
quota = $quota
comment = $comment
gcos = $gcos
dir = $dir
shell = $shell
_EOT
exit;
Do you get anything? I don't see how there can be any ambiguity about
what's going on here. Perhaps there are some differences in configurations
and needs?
--Jed http://www.nersc.gov/~jed/
More information about the Pam-list
mailing list