Pam NIS authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I'm trying to configure Postgres to authenticate NIS users through pam.

Here is my setup:

Server version:
PostgreSQL 15.2 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-18), 64-bit

Relevant pg_hba lines:
host    all             psql            all                     md5
host    all             all             all                     pam

PAM:
/etc/pam.d/postgresql
#%PAM-1.0
auth            include         password-auth
account         include         password-auth

/etc/pam.d/password-auth
# Generated by authselect on Wed Jan 31 12:48:13 2024
# Do not modify this file manually.

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        sufficient                                   pam_unix.so nullok
auth        required                                     pam_deny.so

account     required                                     pam_unix.so broken_shadow

password    requisite                                    pam_pwquality.so local_users_only
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok nis
password    required                                     pam_deny.so

session     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so

Pam service seems to be okay, ie if I provide the correct pass, it lets me through with both local and NIS accounts:
% pamtester -v postgresql <localuser> authenticate
pamtester: invoking pam_start(postgresql, <localuser>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated

% pamtester -v postgresql <nisuser> authenticate
pamtester: invoking pam_start(postgresql, <nisuser>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated


Users exist in Postgres with login permission, required NIS daemons are up and running, tools like ypwhich or ypcat are working fine.
But when I try to connect to Postgres server using NIS account, authentication fails:
psql: error: connection to server at "<hostname>" (10.65.31.25), port 5432 failed: FATAL:  PAM authentication failed for user "<nisuser>"

Server logs:
[52] DEBUG:  forked new backend, pid=564 socket=10
[564] DEBUG:  InitPostgres
[564] DEBUG:  my backend ID is 3
[564] DEBUG:  StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
[564] DEBUG:  shmem_exit(0): 4 before_shmem_exit callbacks to make
[564] DEBUG:  shmem_exit(0): 6 on_shmem_exit callbacks to make
[564] DEBUG:  proc_exit(0): 2 callbacks to make
[564] DEBUG:  exit(0)
[564] DEBUG:  shmem_exit(-1): 0 before_shmem_exit callbacks to make
[564] DEBUG:  shmem_exit(-1): 0 on_shmem_exit callbacks to make
[564] DEBUG:  proc_exit(-1): 0 callbacks to make
[52] DEBUG:  reaping dead processes
[52] DEBUG:  server process (PID 564) exited with exit code 0
[52] DEBUG:  forked new backend, pid=566 socket=10
[566] DEBUG:  InitPostgres
[566] DEBUG:  my backend ID is 3
[566] DEBUG:  StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
[566] DEBUG:  received password packet
[566] LOG:  pam_authenticate failed: Authentication failure
[566] FATAL:  PAM authentication failed for user "<nisuser>"
[566] DETAIL:  Connection matched pg_hba.conf line 105: "host    all             all             all                     pam"
[566] DEBUG:  shmem_exit(1): 4 before_shmem_exit callbacks to make
[566] DEBUG:  shmem_exit(1): 6 on_shmem_exit callbacks to make
[566] DEBUG:  proc_exit(1): 2 callbacks to make
[566] DEBUG:  exit(1)
[566] DEBUG:  shmem_exit(-1): 0 before_shmem_exit callbacks to make
[566] DEBUG:  shmem_exit(-1): 0 on_shmem_exit callbacks to make
[566] DEBUG:  proc_exit(-1): 0 callbacks to make
[52] DEBUG:  reaping dead processes
[52] DEBUG:  server process (PID 566) exited with exit code 1

Secure log:
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): conversation failed
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): auth could not identify password for [<nisuser>]
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): check pass; user unknown
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=10.65.31.25

All of this works fine for 'local' Linux accounts.

Am I missing something?

thanks,

-- 
wbr,
   Andrey
[Index of Archives]     [Postgresql Home]     [Postgresql General]     [Postgresql Performance]     [Postgresql PHP]     [Postgresql Jobs]     [PHP Users]     [PHP Databases]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Databases]     [Yosemite Forum]

  Powered by Linux