Re: PAM/Kerberos requiring local accounts

["Jeff Mitchell" <jam6 cec wustl edu>]

Van--

Thanks for your reply!

We have a different server (a Solaris one) that runs Kerberos and uses
NIS/ypserv for account information...it's possible that we could do that on
this box as well so I may be getting back to you for help on such a setup
(though not anytime especially soon)...thank you for the offer.

I guess though that I'm not really understsanding why it's necessary.  For
the setup that I need this for, I'm completely uninterested as to their
account details, UIDs, GIDs, etc.  I want to know only one thing:  according
to the Kerberos servers, is this a correct username and password
combination?  The user isn't doing anything local to the box, so they don't
even need a UID...and indeed, the function that calls the PAM authentication
with the module I'm using (called pam_auth() ) only returns one thing:  true
or false.

Kerberos, I keep getting told, is for authentication only...which is exactly
why I want it.  How weird then that I can't simply specify in my pam.d that
I *want* authentication and authentication only...

Jeff


----- Original Message ----- 
From: "Van Emery (Mei Feng)" <emeryvl iis sinica edu tw>
To: "Pluggable Authentication Modules" <pam-list redhat com>
Cc: <jam6 cec wustl edu>
Sent: Wednesday, May 05, 2004 1:04 AM
Subject: Re: PAM/Kerberos requiring local accounts


>
>
>
> Jeff,
>
> I found the same thing using mod_auth_pam with TLS on Apache 2.  We are
> running Kerberos authentication in our lab.
>
> We use NIS for global UID/GID/userinfo, and Kerb for auth.  If you
> comment out the "account" line in /etc/pam.d/httpd, then authentication
> fails:
>
> #%PAM-1.0
>
> auth        required    /lib/security/$ISA/pam_env.so
> auth        sufficient  /lib/security/$ISA/pam_krb5.so minimum_uid=5000
> auth        required    /lib/security/$ISA/pam_deny.so
>
> #account     required    /lib/security/$ISA/pam_krb5.so
>
> If I re-enable it, authentication for Kerberos users works.  The next
> test I tried was with stopping the NIS servers (ypserv) on my KDCs.
> This also caused an authentication failure with mod_auth_pam.
>
> My guess is that mod_auth_pam or PAM itself needs to lookup some
> information like UID, GID, or username through the nsswitch library.
>
> We get around this issue in the lab by adding a user in both NIS and
> Kerberos.  NIS handles global UID/GID/username stuff, and Kerb handles
> authentication.  You can put the NIS servers on the KDCs or somewhere
> else.
>
> If you decide to try this out, I have some documentation on the setup.
>
> Hope this helps,
>
> Van
>
>
>
>
>
> -- 
>
> ===================================
>
>        Van Emery (Mei Feng)
>
>        Academia Sinica IIS
>        Room 402
>        Tel: 2788-3799 x1457
>
>      emeryvl <at> iis.sinica.edu.tw
>
> ===================================
>
>
>