linux - Program is rceiving PAM_PERM_DENIED (7) when authenticating against Active Directory, while ssh works -
i using active domain jamie_ad1.net, , have user greg there. when ssh -l greg@jamie_ad1.net x.x.x.x being logged in. when, however, authenticating user in program, process_user() function (below) returns error 7 (pam_perm_denied - caller not possess required authority.)
what do wrong? note during ssh, /etc/pam.d/system-auth being used. using same pam service name "system_auth" in program, (and used "sshd", , "login" - failed.)
static int process_user( const char* uname, const char* pwd ) { int rv = 0 ; struct pam_conv conv ; pam_handle_t* pamh = null; conv.conv = &pamauth_conv ; conv.appdata_ptr = ( void* )pwd ; if ( (( rv = pam_start( "system-auth", uname, &conv, &pamh )) == pam_success ) && (( rv = pam_acct_mgmt(pamh, pam_silent | pam_disallow_null_authtok )) == pam_success ) && (( rv = pam_authenticate( pamh, pam_silent | pam_disallow_null_authtok )) == pam_success ) ) ... pam_end( pamh, rv ) ; ... } below showing convesation funcion used process_user() while under gdb see num_msg 1, , msg[ 0 ]->msg "password: ", , function sets p[ 0 ].resp strduped password (i have checked password correct.)
static int pamauth_conv( int num_msg, const struct pam_message** msg, struct pam_response** resp, void* appdata_ptr ) { int rv = pam_success ; struct pam_response* p = null ; int ; p = calloc( num_msg, sizeof( struct pam_response )) ; if ( p == null ) rv = pam_buf_err ; else { ( = 0; ( rv == pam_success ) && ( < num_msg ); i++ ) if ( strcmp( msg[ ]->msg, "password: " ) == 0 ) /* support password conversation */ { p[ ].resp = strdup(( char* )appdata_ptr ) ; if ( p[ ].resp == null ) rv = pam_buf_err; } } if ( rv == pam_success ) *resp = p ; else if ( p ) { ( = 0; < num_msg; i++ ) if ( p[ ].resp ) free( p[ ].resp ) ; free( p ) ; } return rv ; } note: pam_acct_mgmt() call returns success, confirms greg@jamie_ad1.net user exists. pam_authenticate() complains.
contents of /etc/pam.d/system-auth, same `/etc/pam.d/password-auth' :
#%pam-1.0 # file auto-generated. # user changes destroyed next time authconfig run. auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth sufficient pam_winbind.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok user_unknown=ignore] pam_winbind.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password sufficient pam_winbind.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so contents of /etc/pam.d/sshd #%pam-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth
session required pam_selinux.so close session required pam_loginuid.so session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth session required pam_lastlog.so showfailed
logging in ssh client works because not use pam subsystem authentication on external ad host. ssh client checks gssapiauthentication flag in config (/etc/ssh/ssh_config or /etc/ssh_config or ~/.ssh/config) , calls gssapi library. gssapi uses kerberos installed , correctly configured on linux host program runs on.
if program purpose authenticate user credentials against active directory should same , call gssapi. alternative way (possibly easier use) authenticating on ldap api. note ad installations reject simple plaintext authentication on unencrypted ldap , require sasl-based authentication or ssl connection.
call pam_start( "system-auth", in code means "authenticate user in same way other pam-based services on linux host do". in order make work 1 should contact linux host administrator (that 1 configured kerberos client) , ask her/him complete integration active directory. result of successful setup pam-based services (like login, su, sshd , on) start understanding ad credentials , code. approach has limitations:
- your program depend on working ad integration setup of host runs on, i.e. proper kerberos, pam and/or samba configuration,
- "system-auth" name of pam service specific redhat-based distributions, might missing on debian-based systems.
if code needs authenticate ad pam subsystem , using "system-auth" service not requirement following minimal configuration might help. again, without qualified linux admin quite risky venture:
- install pam_krb5 package on red hat, libpam-krb5 on debian.
- find exact location of
pam_krb5.so, on ubuntu box/lib/x86_64-linux-gnu/security/pam_krb5.so. - create new service description file
/etc/pam.d/krb5authfollowing contents (copied man page):
auth sufficient /lib/x86_64-linux-gnu/security/pam_krb5.so minimum_uid=1000 session required /lib/x86_64-linux-gnu/security/pam_krb5.so minimum_uid=1000 account required /lib/x86_64-linux-gnu/security/pam_krb5.so minimum_uid=1000 password sufficient /lib/x86_64-linux-gnu/security/pam_krb5.so minimum_uid=1000
- test new service, recommend quick python session python-pam. enter user name either 'greg' or 'greg@jamie_ad1.net', uppercase important kerberos sometimes.
- change pam_start() call in code use
pam_start( "krb5auth",, cross fingers.
Comments
Post a Comment