| From: | Andrey Glazunov <aag(at)aag(dot)sh> |
|---|---|
| To: | pgsql-admin(at)lists(dot)postgresql(dot)org |
| Subject: | Pam NIS authentication |
| Date: | 2024-01-31 17:08:27 |
| Message-ID: | 4a2aee3e-71a9-4542-98c3-2d0bdb8eb72a@aag.sh |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Hi,
I'm trying to configure Postgres to authenticate NIS users through pam.
Here is my setup:
Server version:
PostgreSQL 15.2 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-18), 64-bit
Relevant pg_hba lines:
host all psql all md5
host all all all pam
PAM:
/etc/pam.d/postgresql
#%PAM-1.0
auth include password-auth
account include password-auth
/etc/pam.d/password-auth
# Generated by authselect on Wed Jan 31 12:48:13 2024
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_unix.so nullok
auth required pam_deny.so
account required pam_unix.so broken_shadow
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok nis
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Pam service seems to be okay, ie if I provide the correct pass, it lets me through with both local and NIS accounts:
% pamtester -v postgresql <localuser> authenticate
pamtester: invoking pam_start(postgresql, <localuser>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
% pamtester -v postgresql <nisuser> authenticate
pamtester: invoking pam_start(postgresql, <nisuser>, ...)
pamtester: performing operation - authenticate
Password:
pamtester: successfully authenticated
Users exist in Postgres with login permission, required NIS daemons are up and running, tools like ypwhich or ypcat are working fine.
But when I try to connect to Postgres server using NIS account, authentication fails:
psql: error: connection to server at "<hostname>" (10.65.31.25), port 5432 failed: FATAL: PAM authentication failed for user "<nisuser>"
Server logs:
[52] DEBUG: forked new backend, pid=564 socket=10
[564] DEBUG: InitPostgres
[564] DEBUG: my backend ID is 3
[564] DEBUG: StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
[564] DEBUG: shmem_exit(0): 4 before_shmem_exit callbacks to make
[564] DEBUG: shmem_exit(0): 6 on_shmem_exit callbacks to make
[564] DEBUG: proc_exit(0): 2 callbacks to make
[564] DEBUG: exit(0)
[564] DEBUG: shmem_exit(-1): 0 before_shmem_exit callbacks to make
[564] DEBUG: shmem_exit(-1): 0 on_shmem_exit callbacks to make
[564] DEBUG: proc_exit(-1): 0 callbacks to make
[52] DEBUG: reaping dead processes
[52] DEBUG: server process (PID 564) exited with exit code 0
[52] DEBUG: forked new backend, pid=566 socket=10
[566] DEBUG: InitPostgres
[566] DEBUG: my backend ID is 3
[566] DEBUG: StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
[566] DEBUG: received password packet
[566] LOG: pam_authenticate failed: Authentication failure
[566] FATAL: PAM authentication failed for user "<nisuser>"
[566] DETAIL: Connection matched pg_hba.conf line 105: "host all all all pam"
[566] DEBUG: shmem_exit(1): 4 before_shmem_exit callbacks to make
[566] DEBUG: shmem_exit(1): 6 on_shmem_exit callbacks to make
[566] DEBUG: proc_exit(1): 2 callbacks to make
[566] DEBUG: exit(1)
[566] DEBUG: shmem_exit(-1): 0 before_shmem_exit callbacks to make
[566] DEBUG: shmem_exit(-1): 0 on_shmem_exit callbacks to make
[566] DEBUG: proc_exit(-1): 0 callbacks to make
[52] DEBUG: reaping dead processes
[52] DEBUG: server process (PID 566) exited with exit code 1
Secure log:
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): conversation failed
<nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): auth could not identify password for [<nisuser>]
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): check pass; user unknown
<nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): authentication failure; logname= uid=26 euid=26 tty= ruser= rhost=10.65.31.25
All of this works fine for 'local' Linux accounts.
Am I missing something?
thanks,
--
wbr,
Andrey
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Samed YILDIRIM | 2024-01-31 18:46:20 | Re: Pam NIS authentication |
| Previous Message | Gabriel Guillem Barceló Soteras | 2024-01-30 07:46:31 | Re: Setup load balancing using HAProxy |