[389-users] PAM Pass Through- PAM succeeds but 389 fails?

Sam Harmon samuel.harmon at gmail.com
Tue Aug 30 17:19:24 UTC 2011 

Hello,

  I'm trying to configure a 389 instance to pass authentication to our Kerberos server using the PAM Pass Through plugin. As far as I can tell, the authentication is happening correctly in PAM, but it's getting refused by the 389 server. I've included the relevant configurations and some log file snippets of an example authentication. 

Has anyone seen a problem like this before? Do I have a problem in my configuration? 


Thanks,

Sam


My pass through auth config from dse.ldif:

dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: pamConfig
cn: PAM Pass Through Auth
nsslapd-pluginPath: libpam-passthru-plugin
nsslapd-pluginInitfunc: pam_passthruauth_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginloadglobal: true
nsslapd-plugin-depends-on-type: database
pamMissingSuffix: ALLOW
pamIncludeSuffix: o=isp
pamExcludeSuffix: cn=config
pamIDMapMethod: RDN
pamIDAttr: notUsedWithRDNMethod
pamFallback: TRUE
pamSecure: FALSE
pamService: ldapserver
nsslapd-pluginId: pam_passthruauth
nsslapd-pluginVersion: 1.2.2
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: PAM pass through authentication plugin


Here is the PAM configuration file I'm using (/etc/pam.d/ldapserver):

auth        sufficient    /lib64/security/pam_krb5.so force_first_pass forwardable debug no_user_check ignore_k5login no_initial_prompt

password    sufficient    /lib64/security/pam_krb5.so use_authtok

session     optional      /lib64/security/pam_krb5.so



Here's the PAM log from an attempted authentication:

Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: configured realm 'INS.CWRU.EDU'
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flags: forwardable
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no ignore_afs
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no krb4_convert
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: krb4_convert_524
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: krb4_use_as_req
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: will try previously set password first
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: will let libkrb5 ask questions
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no use_shmem
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no external
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no multiple_ccaches
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: validate
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: warn
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: ticket lifetime: 0
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: renewable lifetime: 0
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: banner: Kerberos 5
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: ccache dir: /tmp
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: keytab: FILE:/etc/krb5.keytab
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: called to authenticate 'sdh7', realm 'INS.CWRU.EDU'
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authenticating 'sdh7 at INS.CWRU.EDU'
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: not using an entered password for 'sdh7', allowing libkrb5 to prompt for more
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authenticating 'sdh7 at INS.CWRU.EDU' to 'krbtgt/INS.CWRU.EDU at INS.CWRU.EDU'
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: libkrb5 asked for long-term password, replacing prompt text with generic prompt
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: krb5_get_init_creds_password(krbtgt/INS.CWRU.EDU at INS.CWRU.EDU) returned 0 (Success)
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: validating credentials
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: error reading keytab 'FILE:/etc/krb5.keytab'
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: TGT verified
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: got result 0 (Success)
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authentication succeeds for 'sdh7' (sdh7 at INS.CWRU.EDU)
Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: pam_authenticate returning 0 (Success)

And here is the 389 error log from the same auth:

[30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - => pam_passthru_bindpreop
[30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - pam msg [0] = 1 Password:
[30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - Error from PAM during pam_acct_mgmt (7: Authentication failure)
[30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - Invalid PAM password for user id [sdh7], bind DN [uid=sdh7,ou=pe
ople,o=cwru.edu,o=isp][30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - <= handled (error 49 - Invalid credentials)
[30/Aug/2011:12:55:44 -0400] passthru-plugin - => passthru_bindpreop[30/Aug/2011:12:55:44 -0400] passthru-plugin - <= not handled (not one of our suffixes)

More information about the 389-users mailing list