Success/Fail bug when calling modules more than once?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm trying to implement login authentication via multiple KRB5 realms for an
application.  Currently using RedHat 7.2 with pam-0.75-19.rpm  [Let me know
what other version info might be needed!]

I'm observing some very strange behavior when using the same module more
than once.   Although the module seems to succeed (per debug messages), PAM
seems to return failure to the applications.

The following PAM file is used with success (which verifies I'm talking to
the krb server a-ok)
#%PAM-1.0
auth        required      /lib/security/pam_env.so debug
auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
auth        required   /lib/security/pam_deny.so debug

What I'd like to do is something like:
#%PAM-1.0
auth        required      /lib/security/pam_env.so debug
auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
auth        sufficient /lib/security/pam_krb5.so debug realm=B.COMPANY.COM
auth        required   /lib/security/pam_deny.so debug

but it fails every time.

I've tried two different things, in an effort to debug WHY this happens.  My
first thought is that it'd be bad to authenticate again after getting a
success.  So I changed things to:

#%PAM-1.0
auth        required      /lib/security/pam_env.so debug
auth        [success=2 default=ok] /lib/security/pam_krb5.so debug
realm=A.COMPANY.COM
auth        [success=1 default=ok] /lib/security/pam_krb5.so debug
realm=B.COMPANY.COM
auth        required   /lib/security/pam_deny.so debug

but that doesn't seem to work as the documentation I've seen indicates; i.e.
that we'd skip over B realm if A realm passed.  I think my ultimate solution
should be something like this, but I'm not sure where I went wrong.

So, in an effort to divide and conquer my problem, I changed to a case that
I expected to succeed.  Making two requests to the realm that can
authenticate the user.  Debug results from the krb module reports success
both times, but PAM still returns failure!!!
#%PAM-1.0
auth        required      /lib/security/pam_env.so debug
auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
auth        sufficient /lib/security/pam_krb5.so debug realm=A.COMPANY.COM
auth        required   /lib/security/pam_deny.so debug

I'm not sure if I've stumbled across 1-2 bugs, or if I'm way off base.  Any
help would be appreciated!

John
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux