Hello, I'm trying to configure a 389 instance to pass authentication to our Kerberos server using the PAM Pass Through plugin. As far as I can tell, the authentication is happening correctly in PAM, but it's getting refused by the 389 server. I've included the relevant configurations and some log file snippets of an example authentication.
Has anyone seen a problem like this before? Do I have a problem in my configuration? Thanks, Sam My pass through auth config from dse.ldif: dn: cn=PAM Pass Through Auth,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: pamConfig cn: PAM Pass Through Auth nsslapd-pluginPath: libpam-passthru-plugin nsslapd-pluginInitfunc: pam_passthruauth_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginloadglobal: true nsslapd-plugin-depends-on-type: database pamMissingSuffix: ALLOW pamIncludeSuffix: o=isp pamExcludeSuffix: cn=config pamIDMapMethod: RDN pamIDAttr: notUsedWithRDNMethod pamFallback: TRUE pamSecure: FALSE pamService: ldapserver nsslapd-pluginId: pam_passthruauth nsslapd-pluginVersion: 1.2.2 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: PAM pass through authentication plugin Here is the PAM configuration file I'm using (/etc/pam.d/ldapserver): auth sufficient /lib64/security/pam_krb5.so force_first_pass forwardable debug no_user_check ignore_k5login no_initial_prompt password sufficient /lib64/security/pam_krb5.so use_authtok session optional /lib64/security/pam_krb5.so Here's the PAM log from an attempted authentication: Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: configured realm 'INS.CWRU.EDU' Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flags: forwardable Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no ignore_afs Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no krb4_convert Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: krb4_convert_524 Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: krb4_use_as_req Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: will try previously set password first Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: will let libkrb5 ask questions Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no use_shmem Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no external Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: no multiple_ccaches Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: validate Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: flag: warn Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: ticket lifetime: 0 Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: renewable lifetime: 0 Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: banner: Kerberos 5 Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: ccache dir: /tmp Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: keytab: FILE:/etc/krb5.keytab Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: called to authenticate 'sdh7', realm 'INS.CWRU.EDU' Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authenticating '[email protected]' Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: not using an entered password for 'sdh7', allowing libkrb5 to prompt for more Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authenticating '[email protected]' to 'krbtgt/[email protected]' Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: libkrb5 asked for long-term password, replacing prompt text with generic prompt Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: krb5_get_init_creds_password(krbtgt/[email protected]) returned 0 (Success) Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: validating credentials Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: error reading keytab 'FILE:/etc/krb5.keytab' Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: TGT verified Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: got result 0 (Success) Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: authentication succeeds for 'sdh7' ([email protected]) Aug 30 12:55:44 its-srv-ksl-1 ns-slapd: pam_krb5[23742]: pam_authenticate returning 0 (Success) And here is the 389 error log from the same auth: [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - => pam_passthru_bindpreop [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - pam msg [0] = 1 Password: [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - Error from PAM during pam_acct_mgmt (7: Authentication failure) [30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - Invalid PAM password for user id [sdh7], bind DN [uid=sdh7,ou=pe ople,o=cwru.edu,o=isp][30/Aug/2011:12:55:44 -0400] pam_passthru-plugin - <= handled (error 49 - Invalid credentials) [30/Aug/2011:12:55:44 -0400] passthru-plugin - => passthru_bindpreop[30/Aug/2011:12:55:44 -0400] passthru-plugin - <= not handled (not one of our suffixes) -- 389 users mailing list [email protected] https://admin.fedoraproject.org/mailman/listinfo/389-users
