Problems getting Apache to use PAM

From: J M (therealsunmanager@ntlworld.com)
Date: Fri Feb 03 2006 - 06:43:30 EST

We run Solaris 8 and use our Microsoft AD for logon authentication with Kerberos. Password, account and session management are carried out by Solaris. Our pam.conf file illustrates our current setup.

 

login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth sufficient pam_krb5.so.1 use_first_pass
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1

 

other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_krb5.so.1 use_first_pass
other auth required pam_unix_auth.so.1
 
The problem is, Apache doesnt use PAM and so we cant implement Kerberos authentication on servers running Apache because nobody will be able to login with their AD password. However, we believe weve found a potential solution at:
 
http://pam.sourceforge.net/mod_auth_pam/
 
This has been compiled from the source and installed ok. It's possible to authenticate local users with this (if you give apache read access to the shadow file),
but we have not had any success when using the Kerberos authentication to our AD.
 
In desperation we have added lots of entries to our pam.conf to try and make this work:

 

httpd auth requisite pam_authtok_get.so.1 debug
httpd auth required pam_dhkeys.so.1 debug
httpd auth sufficient pam_krb5.so.1 use_first_pass debug
httpd auth required pam_unix_auth.so.1 debug
httpd session sufficient pam_krb5.so.1 debug
httpd password sufficient pam_krb5.so.1 use_first_pass debug
httpd account sufficient pam_krb5.so.1 debug
httpd account required pam_unix_account.so.1 debug

 

The apache2 config file has:

 

LoadModule auth_pam_module modules/mod_auth_pam.so

 

<Directory /usr/local/apache2/htdocs/test>
    Satisfy Any
    Order deny,allow
    Deny from all
    AuthBasicAuthoritative off
    AuthPAM_Enabled on
    AuthPAM_Fallthrough off
    Authtype basic
    AuthUserFile /dev/null
    Authname "Password required"
    Require valid-user
</Directory>

 

With these settings we the following reported in /var/adm/messages:

 

Feb 2 09:54:54 ourhost httpd[5431]: [ID 634615 user.debug] pam_authtok_get:pam_sm_authenticate: flags = 1
Feb 2 09:54:54 outhost httpd[5431]: [ID 264565 user.debug] PAM-KRB5: auth: pam_sm_authenticate flags = 1
Feb 2 09:54:54 ourhost httpd[5431]: [ID 405806 user.debug] PAM-KRB5: attempt_krb5_login: start: user='fred', uid=10003
Feb 2 09:54:54 outhost httpd[5431]: [ID 730853 user.debug] PAM-KRB5: auth: krb5_login: tkt_with_pw returns: Unknown code 0
Feb 2 09:54:54 ourhost httpd[5431]: [ID 410402 user.debug] PAM-KRB5: attempt_krb5_login returning 4
Feb 2 09:54:54 ourhost httpd[5431]: [ID 892699 user.debug] PAM-KRB5: pam_sm_auth finalize ccname env, result = 4, env = 'KRB5CCNAME=FILE:/tmp/krb5cc_10003', age = 0, status = 4
Feb 2 09:54:54 outhost httpd[5431]: [ID 753808 user.debug] PAM-KRB5: sm_auth: returning 4
Feb 2 09:54:54 ourhost httpd[5431]: [ID 896952 user.debug] pam_unix_auth: entering pam_sm_authenticate()
Feb 2 09:54:54 ourhost httpd[5431]: [ID 174864 user.debug] PAM-KRB5: krb5_cleanup pam_sm_auth_status(4)

 

The apache error log has:

 

[Thu Feb 02 09:54:54 2006] [error] [client 10.10.10.10] PAM: user 'fred' - not authenticated: Authentication failed

If anybody has any experiance with this, please help!

-----------------------------------------
Email sent from www.ntlworld.com
Virus-checked using McAfee(R) Software
Visit www.ntlworld.com/security for more information
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:38:50 EDT