mar10
PAM Authentication Failure
Describe the bug Attempting to use PAM to have the user authenticate with Kerberos. The pamtester command shows everything working, however when using the software I see a good authentication in the secure log file but a failure in the software for the same authentication
To Reproduce Steps to reproduce the behavior:
- Install software with pam module
- Setup Kerberos authentication for pam
- Attempt to login
Expected behavior Expect a valid pam login to function
Screenshots, Log-Files, Stacktrace From /var/log/secure:
Dec 19 09:32:27 webproxy python3: pam_krb5[2799]: TGT verified using key for 'HTTP/[email protected]'
Dec 19 09:32:27 webproxy python3: pam_krb5[2799]: authentication succeeds for 'jason' ([email protected])
From wsgidav:
09:32:27.152 - WARNING : pam.authenticate('jason', '<redacted>', 'wsgidav') failed with code 17: Failure setting user credentials
09:32:27.152 - WARNING : Authentication (basic) failed for user 'jason', realm 'PAM(wsgidav)'.
09:32:27.152 - DEBUG : 401 Not Authorized for realm 'PAM(wsgidav)' (basic)
09:32:27.152 - INFO : 192.168.255.14 - (anonymous) - [2023-12-19 14:32:27] "GET /" connection="keep-alive", agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0", elap=0.139sec -> 401 Not Authorized
Environment:
WsgiDAV/4.3.0 Python/3.6.8(64 bit) Linux-3.10.0-1160.49.1.el7.x86_64-x86_64-with-centos-7.9.2009-Core
Python from: /bin/python3
Which WSGI server was used (cheroot, ext-wsgiutils, gevent, gunicorn, paste, uvicorn, wsgiref, ...)? cheroot
Which WebDAV client was used (MS File Explorer, MS Office, macOS Finder, WinSCP, Windows, file mapping, ...)? Firefox
Additional context
PAM configuration for service:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_krb5.so try_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_krb5.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session optional pam_krb5.so
Code 17 is PAM_CRED_ERR.
Not sure, what this means and what can go wrong here: https://github.com/mar10/wsgidav/blob/master/wsgidav/dc/pam_dc.py#L54
Maybe encoding problems with the password?
So that is the part that has me stumped...if the password was the issue I would expect the PAM on the system side to fail, but as you can see from the log snippets the actual /var/log/secure side shows that the PAM authentication worked....so I am at a loss.
On Dec 21, 2023, at 3:58 PM, Martin Wendt @.***> wrote:
Code 17 is PAM_CRED_ERR.
Not sure, what this means and what can go wrong here: https://github.com/mar10/wsgidav/blob/master/wsgidav/dc/pam_dc.py#L54
Maybe encoding problems with the password?
— Reply to this email directly, view it on GitHub https://github.com/mar10/wsgidav/issues/309#issuecomment-1866922515, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIBX4N5XGKM45NPWBODNH3YKSPFTAVCNFSM6AAAAABA3JB2ZGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRWHEZDENJRGU. You are receiving this because you authored the thread.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}