Bug 99174

Summary: RHN Satellite can't authenticate users through PAM
Product: Red Hat Satellite 5 Reporter: Aleksandr Brezhnev <brezhnev>
Component: ServerAssignee: Mihai Ibanescu <mihai.ibanescu>
Status: CLOSED NOTABUG QA Contact: Red Hat Satellite QA List <satqe-list>
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: rhn-bugs, tao
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-07-21 18:36:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 97549    
Attachments:
Description Flags
PyPAM binary rpm
none
PyPAM source rpm none

Description Aleksandr Brezhnev 2003-07-15 14:31:27 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Description of problem:
Our customer wants to authenticate Satellite users through Kerberos.
We are using rhns-2.5.1-11 and this release does not include
Python module PyPAM for PAM authentication. I built and 
installed this module myself. See attachemts for binary and source
rpms.

I enabled PAM authentication in rhn.conf.
The file /etc/rhn/rhn.conf has the following lines:

encrypted_passwords = 1
pam_auth_service = passwd

PAM services "passwd" and "system-auth" are configured for Kerberos
authentication and users can login into the system using their 
Kerberos passwords.

/etc/pam.d/passwd:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth

/etc/pam.d/system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/pam_krb5.so use_first_pass
auth        required      /lib/security/pam_deny.so

account     required      /lib/security/pam_unix.so

password    required      /lib/security/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/pam_unix.so nullok use_authtok md5 shadow
password    sufficient    /lib/security/pam_krb5.so use_authtok
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so
session     optional      /lib/security/pam_krb5.so


The problem is the users can't login into Satellite using 
their Kerberos passwords. They can login using their password 
stored in the database even if the field 'use_pam_authentication' 
for their accounts is set to 'Y'.

I can manually invoke rhnAuthPAM.check_password function
and it is able to authenticate users through Kerberos.

I tried to register a new system with Kerberos-enabled user
account but got the error message from rhn_register-2.8.36-1.2.1AS:

There was an error communication with the registration server:
While running 'registration.reserve_user':
caught exceptions.ValueError : unpack tuple of wrong size



Version-Release number of selected component (if applicable):
rhns-2.5.1-11 rhns-server-2.5.1-11

How reproducible:
Always

Steps to Reproduce:
1. Install PyPAM-0.4.2-1.i386.rpm
2. Configure system for Kerberos authentication
3. Add line pam_auth_service = passwd into rhn.conf
4. Create Satellite user account and enable PAM authentication for
this account.
5. Try to login through the Web-interface using Kerberos password
and password stored in the database.


Actual Results:  User can't login using Kerberos password but can login using the
password stored in the database.

Expected Results:  User should be able to login using Kerberos password.

Additional info:
Comment 1 Aleksandr Brezhnev 2003-07-15 14:33:40 UTC 
Created attachment 92937 [details]
PyPAM binary rpm
Comment 2 Aleksandr Brezhnev 2003-07-15 14:34:13 UTC 
Created attachment 92938 [details]
PyPAM source rpm
Comment 3 Mihai Ibanescu 2003-07-17 14:46:08 UTC 
Aleksandr,

You may want to customize the service file for PAM. This is what I used and
worked for my satellite test:

#%PAM-1.0
auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_krb5.so no_user_check
auth        required      /lib/security/pam_deny.so
account     required      /lib/security/pam_krb5.so no_user_check


I wouldn't go with the password PAM service file, login would be better. But if
you don't have NIS set up on that box, it won't work. Best way to debug it is to
look in /var/log/messages, PAM will spew errors there.

If you don't see any messages (neither successful nor unsuccessful logins) in
/var/log/messages, make sure the user has PAM authentication turned on (there is
a checkbox in the user profile).

That being said, rhn_register should work out of the box. The web site has a bug
that we'll fix as soon as possible: if password encryption is turned on, PAM
password verification is never performed. Workaround for now is to turn
encryption off; we'll have a patch really soon though.
Comment 4 Aleksandr Brezhnev 2003-07-17 15:12:45 UTC 
I disabled password encryption and used your PAM configuration file.
Everything is working now. I can register systems using user account
with Kerberos authentication and I can login into website using this
account. Thanks a lot!
Comment 5 Mihai Ibanescu 2003-07-21 18:36:35 UTC 
Cool. Closing this bug as NOTABUG - the web code is already fixed, and PyPAM
will be in the list of satellite RPMs by default.