|
Folks--
I'm trying to use PAM authentication (with
Kerberos) and am running into troubles.
I'm setting up eGroupWare (PHP, using pam_auth as
shown below) to use PAM authentication. I've set up the necessary
httpd/php files in /etc/pam.d with the following:
#%PAM-1.0
auth required /lib/security/pam_krb5.so account required /lib/security/pam_krb5.so (output of my /etc/krb5.conf file at the
bottom)
However, when the user attempts to log in with eGW, they will only authenticate
correctly if an account of the same name exists on the local machine that
eGW is on. Even though the password that is required for them to log in is
the correct one (i.e. if the password on the local machine and the Kerberos
server are different, the Kerberos one is the one that is accepted, which is
correct behavior), I can't get them to log in unless there is an account on the
local machine. I've tried this several times now -- a person cannot log
in, so I do an adduser using the same username but a different password, and
suddenly they can log in just fine (with the password the Kerberos server is
expecting). This seems like a PAM issue, not eGW, so I'm posting it here
in the hopes that someone will know why this is the case. We're going to
be having over 1500 users authenticating against this installation of eGW (if
all goes well) so obviously creating local accounts for all of them is not a
great idea.
Thanks, everyone!
My stats: uname -a:
Linux helllp.int.valid.domain.name 2.4.18-bf2.4 #1 Son Apr 14 09:53:28 CEST
2002 i686 GNU/Linux
pam_auth 0.4 from http://www.math.ohio-state.edu/~ccunning/pam_auth/
mysql -V
/usr/bin/mysql Ver 12.22 Distrib 4.0.18, for pc-linux-gnu (i686)
apache -v
Server version: Apache/1.3.29 (Debian GNU/Linux)
Server built: Mar 10 2004 19:07:32 eGroupWare version 0.9.99.015
php -v:
PHP 4.3.4 (cli) (built: Mar 27 2004 08:04:22)
Copyright (c) 1997-2003 The PHP Group Zend Engine v1.3.0, Copyright (c) 1998-2003 Zend Technologies I *believe* I'm using krb5 1.3.3 and libpam 0.76-19, with libpam-krb5
1.0-8
contents of /etc/krb5.conf:
[libdefaults]
default_realm = VALID.DOMAIN.NAME # The following krb5.conf variables are only for MIT Kerberos. krb4_config = /etc/krb.conf krb4_realms = /etc/krb.realms kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following encryption type specification will be used by MIT Kerberos # if uncommented. In general, the defaults in the MIT Kerberos code # are correct and overriding these specifications only serves to disable # new encryption types as they are added, creating interoperability problems. # default_tgs_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 # default_tkt_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 #permitted_enctypes = aes256-cts arcfour-hmac-md5 des3-hmac-sha1 des-cbc-crc des-cbc-md5 [realms]
VALID.DOMAIN.NAME = { kdc = kdc1.valid.domain.name:88 kdc = kdc2.valid.domain.name:88 admin_server = kdc1.valid.domain.name kpasswd_server = kdc1.valid.domain.name }
[domain_realm]
[login]
krb4_convert = true krb4_get_tickets = true [pam]
debug = false ticket_lifetime = 36000 renew_lifetime = 36000 forwardable = true krb4_convert = false [appdefaults]
kinit = { renewable = true forwardable= true } |
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
