Van-- Thanks for your reply! We have a different server (a Solaris one) that runs Kerberos and uses NIS/ypserv for account information...it's possible that we could do that on this box as well so I may be getting back to you for help on such a setup (though not anytime especially soon)...thank you for the offer. I guess though that I'm not really understsanding why it's necessary. For the setup that I need this for, I'm completely uninterested as to their account details, UIDs, GIDs, etc. I want to know only one thing: according to the Kerberos servers, is this a correct username and password combination? The user isn't doing anything local to the box, so they don't even need a UID...and indeed, the function that calls the PAM authentication with the module I'm using (called pam_auth() ) only returns one thing: true or false. Kerberos, I keep getting told, is for authentication only...which is exactly why I want it. How weird then that I can't simply specify in my pam.d that I *want* authentication and authentication only... Jeff ----- Original Message ----- From: "Van Emery (Mei Feng)" <emeryvl@xxxxxxxxxxxxxxxxx> To: "Pluggable Authentication Modules" <pam-list@xxxxxxxxxx> Cc: <jam6@xxxxxxxxxxxxx> Sent: Wednesday, May 05, 2004 1:04 AM Subject: Re: PAM/Kerberos requiring local accounts > > > > Jeff, > > I found the same thing using mod_auth_pam with TLS on Apache 2. We are > running Kerberos authentication in our lab. > > We use NIS for global UID/GID/userinfo, and Kerb for auth. If you > comment out the "account" line in /etc/pam.d/httpd, then authentication > fails: > > #%PAM-1.0 > > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_krb5.so minimum_uid=5000 > auth required /lib/security/$ISA/pam_deny.so > > #account required /lib/security/$ISA/pam_krb5.so > > If I re-enable it, authentication for Kerberos users works. The next > test I tried was with stopping the NIS servers (ypserv) on my KDCs. > This also caused an authentication failure with mod_auth_pam. > > My guess is that mod_auth_pam or PAM itself needs to lookup some > information like UID, GID, or username through the nsswitch library. > > We get around this issue in the lab by adding a user in both NIS and > Kerberos. NIS handles global UID/GID/username stuff, and Kerb handles > authentication. You can put the NIS servers on the KDCs or somewhere > else. > > If you decide to try this out, I have some documentation on the setup. > > Hope this helps, > > Van > > > > > > -- > > =================================== > > Van Emery (Mei Feng) > > Academia Sinica IIS > Room 402 > Tel: 2788-3799 x1457 > > emeryvl <at> iis.sinica.edu.tw > > =================================== > > > _______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
