[OpenAFS] Re: Authentication weirdness

Tino Schwarze tino.schwarze@informatik.tu-chemnitz.de
Sun, 3 Nov 2002 10:46:04 +0100 

Hi,

On Sat, Nov 02, 2002 at 03:21:11PM -0500, Chris Snyder wrote:
> > Oh, I actually figured out the URL but forgot to include it. Here it is:
> > http://www.tu-chemnitz.de/urz/afs/openafs/download/AddOn/mod_auth_pam/
> > 
> > I also built some RPMs:
> > http://www-user.tu-chemntiz.de/~tisc/mod_auth_pam-1.0a-3.afs.i386.rpm
> > http://www-user.tu-chemntiz.de/~tisc/mod_auth_pam-1.0a-3.afs.src.rpm
> > 
> > This particular mod_auth_pam supports a "PAM_SetCred on" configuration
> > directive (inside .htaccess etc.) which allows a request to be processed
> > with a token from the requesting user. This is particularly useful for
> > database access on insecure servers - the database passwords etc. can be
> > stored in a directory where only authorized users can read (and not even
> > the webserver authenticated via IP or token).
> 
> It still isn't working. I get the following error message in my logs:
> 
> [Sat Nov  2 15:00:46 2002] [error] (13)Permission denied: access to 
> /mvpsoft failed for 64.105.236.211, reason: Authentication service 
> cannot retrieve authentication info.

Do you have any messages in the syslog?

> Here's my httpd pam file:
> #%PAM-1.0
> 
> auth       required     pam_stack.so service=system-auth
> #auth       required     pam_shells.so
> #auth      required     pam_nologin.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> 
> This is basically my login pam file, with a couple of lines commented out.

I have the followin in /etc/pam.d/httpd:

auth       required   /lib/security/pam_afs.so.1        ignore_root dont_fork
account    required   /lib/security/pam_afs.so.1
session    optional   /lib/security/pam_afs.so.1

> Also, the PAM_SetCred on command gets rejected by Apache as not being 
> supported (server error).

Hm. Strange. It seems that the directives are actually called
"AuthPAM_SetCred" and "AuthPAM_Enabled".

HTH! Tino.

-- 
             * LINUX - Where do you want to be tomorrow? *
                  http://www.tu-chemnitz.de/linux/tag/