I've got sshd successfully authenticating via pam_krb5. my /etc/pam.d/ssh reads:
auth required pam_nologin.so auth required pam_env.so auth sufficient pam_unix.so auth required pam_krb5.so use_first_pass account required pam_unix.so session required pam_unix.so session optional pam_motd.so session optional pam_mail.so standard noenv session required pam_limits.so
Now, I'm trying to do the same with apache2. I've got the following in /etc/pam.d/apache2:
auth sufficient pam_unix.so auth required pam_krb5.so debug use_first_pass account required pam_unix.so
Which should behave identically, right? I can see the error from the sufficient pam_unix pop up in auth.log, I can see the debug output from pam_krb5 say:
apache2: pam_krb5: pam_sm_authenticate(apache2 alexey): entry: apache2: pam_krb5: verify_krb_v5_tgt(): krb5_kt_read_service_key(): No such file or directory apache2: pam_krb5: pam_sm_authenticate(apache2 alexey): exit: success
And then apache returns 401 (Auth Required) and logs:
[error] [client 127.0.0.1] PAM: user 'alexey' - invalid account: Authentication service cannot retrieve authentication info.
I've also tried omitting the initial auth pam_unix, but the only difference is that the failure message from pam_unix is not printed; otherwise the behavior is identical.
WTF? Is there some additional logging I can turn on? How can I even figure out if this is a PAM or an apache problem?
Alexey
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
