[389-users] PAM Pass Through- PAM succeeds but 389 fails?

Paul Robert Marino pmarino at snap-interactive.com
Tue Aug 30 17:34:56 UTC 2011 

Just out of curiosity if you are using Kerberos why are you using pam  
instead of GSSAPI

On 8/30/2011 1:19 PM, Sam Harmon wrote:
> Hello,
>
>    I'm trying to configure a 389 instance to pass authentication to our Kerberos server using the PAM Pass Through plugin. As far as I can tell, the authentication is happening correctly in PAM, but it's getting refused by the 389 server. I've included the relevant configurations and some log file snippets of an example authentication.
>
> Has anyone seen a problem like this before? Do I have a problem in my configuration?
>
>
> Thanks,
>
> Sam
>
>
> My pass through auth config from dse.ldif:
>
> dn: cn=PAM Pass Through Auth,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> objectClass: pamConfig
> cn: PAM Pass Through Auth
> nsslapd-pluginPath: libpam-passthru-plugin
> nsslapd-pluginInitfunc: pam_passthruauth_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginloadglobal: true
> nsslapd-plugin-depends-on-type: database
> pamMissingSuffix: ALLOW
> pamIncludeSuffix: o=isp
> pamExcludeSuffix: cn=config
> pamIDMapMethod: RDN
> pamIDAttr: notUsedWithRDNMethod
> pamFallback: TRUE
> pamSecure: FALSE
> pamService: ldapserver
> nsslapd-pluginId: pam_passthruauth
> nsslapd-pluginVersion: 1.2.2
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: PAM pass through authentication plugin
>
>
> Here is the PAM configuration file I'm using (/etc/pam.d/ldapserver):
>
> auth        sufficient    /lib64/security/pam_krb5.so force_first_pass forwardable debug no_user_check ignore_k5login no_initial_prompt
>
> password    sufficient    /lib64/security/pam_krb5.so use_authtok
>
> session     optional      /lib64/security/pam_krb5.so
>
>
>
> Here's the PAM log from an attempted authentication:
>
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: configured realm 'INS.CWRU.EDU'
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flags: forwardable
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no ignore_afs
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no krb4_convert
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: krb4_convert_524
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: krb4_use_as_req
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: will try previously set password first
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: will let libkrb5 ask questions
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no use_shmem
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no external
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no multiple_ccaches
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: validate
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: warn
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: ticket lifetime: 0
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: renewable lifetime: 0
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: banner: Kerberos 5
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: ccache dir: /tmp
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: keytab: FILE:/etc/krb5.keytab
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: called to authenticate 'sdh7', realm 'INS.CWRU.EDU'
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authenticating 'sdh7 at INS.CWRU.EDU'
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: not using an entered password for 'sdh7', allowing libkrb5 to prompt for more
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authenticating 'sdh7 at INS.CWRU.EDU' to 'krbtgt/INS.CWRU.EDU at INS.CWRU.EDU'
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: libkrb5 asked for long-term password, replacing prompt text with generic prompt
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: krb5_get_init_creds_password(krbtgt/INS.CWRU.EDU at INS.CWRU.EDU) returned 0 (Success)
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: validating credentials
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: error reading keytab 'FILE:/etc/krb5.keytab'
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: TGT verified
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: got result 0 (Success)
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authentication succeeds for 'sdh7' (sdh7 at INS.CWRU.EDU)
> Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: pam_authenticate returning 0 (Success)
>
> And here is the 389 error log from the same auth:
>
> [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - =>  pam_passthru_bindpreop
> [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - pam msg [0] = 1 Password:
> [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - Error from PAM during pam_acct_mgmt (7: Authentication failure)
> [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - Invalid PAM password for user id [sdh7], bind DN [uid=sdh7,ou=pe
> ople,o=cwru.edu,o=isp][30/Aug/2011:12:55:44 -0400] pam_passthru-plugin -<= handled (error 49 - Invalid credentials)
> [30/Aug/2011:12:55:44 -0400] passthru-plugin - =>  passthru_bindpreop[30/Aug/2011:12:55:44 -0400] passthru-plugin -<= not handled (not one of our suffixes)
>
> --
> 389 users mailing list
> 389-users at lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users

More information about the 389-users mailing list