Hi Andrey,
I haven't used Postgres with pam authentication for a long time. I cannot spot anything right away. However, your "All of this works fine for 'local' Linux accounts." sentence makes me confused. According to what I understand from the documentation and your explanation, it is not supposed to work.
Note
If PAM is set up to read /etc/shadow,
authentication will fail because the PostgreSQL server is started by a
non-root user. However, this is not an issue when PAM is configured to
use LDAP or other authentication methods.
Have you tried to run pamtester as postgres user? Also testing with an empty password and with a wrong password may be helpful.
Also, what does the /etc/nsswitch.conf file look like? There can be a configuration issue in that file. Following log line looks interesting. My first impression is that it could not find the user. Do you use the same users to log in the Linux server itself?
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): check pass; user unknown
My gut says the passwd line is not configured correctly in the nsswitch.conf file. And, you may end up with changing the account line in the
/etc/pam.d/postgresql file with the line below.
account required pam_permit.so
Best regards.
Samed YILDIRIM
On Wed, 31 Jan 2024 at 19:08, Andrey Glazunov <aag@xxxxxx> wrote:
Hi,
I'm trying to configure Postgres to authenticate NIS users through pam.
Here is my setup:
Server version:
PostgreSQL 15.2 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-18), 64-bit
Relevant pg_hba lines:
host all psql all md5
host all all all pam
PAM:
/etc/pam.d/postgresql
#%PAM-1.0
auth include password-auth
account include password-auth
/etc/pam.d/password-auth
# Generated by authselect on Wed Jan 31 12:48:13 2024
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok
auth required pam_deny.so
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Pam service seems to be okay, ie if I provide the correct pass, it lets me through with both local and NIS accounts:
% pamtester -v postgresql <localuser> authenticate
pamtester: invoking pam_start(postgresql, <localuser>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
% pamtester -v postgresql <nisuser> authenticate
pamtester: invoking pam_start(postgresql, <nisuser>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
Users exist in Postgres with login permission, required NIS daemons are up and running, tools like ypwhich or ypcat are working fine.
But when I try to connect to Postgres server using NIS account, authentication fails:
psql: error: connection to server at "<hostname>" (10.65.31.25), port 5432 failed: FATAL: PAM authentication failed for user "<nisuser>"
Server logs:
[52] DEBUG: forked new backend, pid=564 socket=10
[564] DEBUG: InitPostgres
[564] DEBUG: my backend ID is 3
[564] DEBUG: StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
[564] DEBUG: shmem_exit(0): 4 before_shmem_exit callbacks to make
[564] DEBUG: shmem_exit(0): 6 on_shmem_exit callbacks to make
[564] DEBUG: proc_exit(0): 2 callbacks to make
[564] DEBUG: exit(0)
[564] DEBUG: shmem_exit(-1): 0 before_shmem_exit callbacks to make
[564] DEBUG: shmem_exit(-1): 0 on_shmem_exit callbacks to make
[564] DEBUG: proc_exit(-1): 0 callbacks to make
[52] DEBUG: reaping dead processes
[52] DEBUG: server process (PID 564) exited with exit code 0
[52] DEBUG: forked new backend, pid=566 socket=10
[566] DEBUG: InitPostgres
[566] DEBUG: my backend ID is 3
[566] DEBUG: StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
[566] DEBUG: received password packet
[566] LOG: pam_authenticate failed: Authentication failure
[566] FATAL: PAM authentication failed for user "<nisuser>"
[566] DETAIL: Connection matched pg_hba.conf line 105: "host all all all pam"
[566] DEBUG: shmem_exit(1): 4 before_shmem_exit callbacks to make
[566] DEBUG: shmem_exit(1): 6 on_shmem_exit callbacks to make
[566] DEBUG: proc_exit(1): 2 callbacks to make
[566] DEBUG: exit(1)
[566] DEBUG: shmem_exit(-1): 0 before_shmem_exit callbacks to make
[566] DEBUG: shmem_exit(-1): 0 on_shmem_exit callbacks to make
[566] DEBUG: proc_exit(-1): 0 callbacks to make
[52] DEBUG: reaping dead processes
[52] DEBUG: server process (PID 566) exited with exit code 1
Secure log:
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): conversation failed
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): auth could not identify password for [<nisuser>]
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): check pass; user unknown
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=10.65.31.25
All of this works fine for 'local' Linux accounts.
Am I missing something?
thanks,
--
wbr,
Andrey
