From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003 Description of problem: Our customer wants to authenticate Satellite users through Kerberos. We are using rhns-2.5.1-11 and this release does not include Python module PyPAM for PAM authentication. I built and installed this module myself. See attachemts for binary and source rpms. I enabled PAM authentication in rhn.conf. The file /etc/rhn/rhn.conf has the following lines: encrypted_passwords = 1 pam_auth_service = passwd PAM services "passwd" and "system-auth" are configured for Kerberos authentication and users can login into the system using their Kerberos passwords. /etc/pam.d/passwd: #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth /etc/pam.d/system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_unix.so likeauth nullok auth sufficient /lib/security/pam_krb5.so use_first_pass auth required /lib/security/pam_deny.so account required /lib/security/pam_unix.so password required /lib/security/pam_cracklib.so retry=3 type= password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/pam_krb5.so use_authtok password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so session optional /lib/security/pam_krb5.so The problem is the users can't login into Satellite using their Kerberos passwords. They can login using their password stored in the database even if the field 'use_pam_authentication' for their accounts is set to 'Y'. I can manually invoke rhnAuthPAM.check_password function and it is able to authenticate users through Kerberos. I tried to register a new system with Kerberos-enabled user account but got the error message from rhn_register-2.8.36-1.2.1AS: There was an error communication with the registration server: While running 'registration.reserve_user': caught exceptions.ValueError : unpack tuple of wrong size Version-Release number of selected component (if applicable): rhns-2.5.1-11 rhns-server-2.5.1-11 How reproducible: Always Steps to Reproduce: 1. Install PyPAM-0.4.2-1.i386.rpm 2. Configure system for Kerberos authentication 3. Add line pam_auth_service = passwd into rhn.conf 4. Create Satellite user account and enable PAM authentication for this account. 5. Try to login through the Web-interface using Kerberos password and password stored in the database. Actual Results: User can't login using Kerberos password but can login using the password stored in the database. Expected Results: User should be able to login using Kerberos password. Additional info:
Created attachment 92937 [details] PyPAM binary rpm
Created attachment 92938 [details] PyPAM source rpm
Aleksandr, You may want to customize the service file for PAM. This is what I used and worked for my satellite test: #%PAM-1.0 auth required /lib/security/pam_env.so auth sufficient /lib/security/pam_krb5.so no_user_check auth required /lib/security/pam_deny.so account required /lib/security/pam_krb5.so no_user_check I wouldn't go with the password PAM service file, login would be better. But if you don't have NIS set up on that box, it won't work. Best way to debug it is to look in /var/log/messages, PAM will spew errors there. If you don't see any messages (neither successful nor unsuccessful logins) in /var/log/messages, make sure the user has PAM authentication turned on (there is a checkbox in the user profile). That being said, rhn_register should work out of the box. The web site has a bug that we'll fix as soon as possible: if password encryption is turned on, PAM password verification is never performed. Workaround for now is to turn encryption off; we'll have a patch really soon though.
I disabled password encryption and used your PAM configuration file. Everything is working now. I can register systems using user account with Kerberos authentication and I can login into website using this account. Thanks a lot!
Cool. Closing this bug as NOTABUG - the web code is already fixed, and PyPAM will be in the list of satellite RPMs by default.