Re: Pam NIS authentication

Hi Samed,

I just tried dropping account mechanism to pam_permit as you suggested and unfortunately it did not help.

There is an acl on shadow file so it readable by postgres user.
And an empty or wrong password is an auth failure as expected.

/etc/nsswitch.conf was generated by authselect:
aliases:    files nis
automount:  files nis
ethers:     files nis
group:      files nis systemd
hosts:      files nis dns myhostname
initgroups: files nis
netgroup:   files nis
networks:   files nis
passwd:     files nis systemd
protocols:  files nis
publickey:  files nis
rpc:        files nis
services:   files nis
shadow:     files nis
gshadow:    files

Looks okay to me. I can lookup, login or switch NIS users without issue, so I assume the setup is correct.
One tring that comes to mind is that our NIS uids are somewhat big, starting around 50k. Could this be an issue?

thanks,

wbr,
   Andrey

On 31/01/2024 19:46, Samed YILDIRIM wrote:
> Hi Andrey,
>
> I haven't used Postgres with pam authentication for a long time. I cannot spot anything right away. However, your
"Allof this works fine for 'local' Linux accounts." sentence makes me confused. According to what I understand from the
documentationand your explanation, it is not supposed to work. 
>
>
>       Note
>
> If PAM is set up to read |/etc/shadow|, authentication will fail because the PostgreSQL server is started by a
non-rootuser. However, this is not an issue when PAM is configured to use LDAP or other authentication methods. 
>
> https://www.postgresql.org/docs/15/auth-pam.html <https://www.postgresql.org/docs/15/auth-pam.html>
>
> Have you tried to run pamtester as postgres user? Also testing with an empty password and with a wrong password may
behelpful. 
>
> Also, what does the /etc/nsswitch.conf file look like? There can be a configuration issue in that file. Following log
linelooks interesting. My first impression is that it could not find the user. Do you use the same users to log in the
Linuxserver itself? 
> <nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): check pass; user unknown
>
> My gut says the passwd line is not configured correctly in the nsswitch.conf file. And, you may end up with changing
theaccount line in the /etc/pam.d/postgresql file with the line below. 
> account required pam_permit.so
>
> Best regards.
> Samed YILDIRIM
>
>
> On Wed, 31 Jan 2024 at 19:08, Andrey Glazunov <aag@aag.sh <mailto:aag@aag.sh>> wrote:
>
>     Hi,
>
>     I'm trying to configure Postgres to authenticate NIS users through pam.
>
>     Here is my setup:
>
>     Server version:
>     PostgreSQL 15.2 on x86_64-redhat-linux-gnu, compiled by gcc (GCC) 8.5.0 20210514 (Red Hat 8.5.0-18), 64-bit
>
>     Relevant pg_hba lines:
>     host    all             psql            all                     md5
>     host    all             all             all                     pam
>
>     PAM:
>     /etc/pam.d/postgresql
>     #%PAM-1.0
>     auth            include         password-auth
>     account         include         password-auth
>
>     /etc/pam.d/password-auth
>     # Generated by authselect on Wed Jan 31 12:48:13 2024
>     # Do not modify this file manually.
>
>     auth        required                                     pam_env.so
>     auth        required                                     pam_faildelay.so delay=2000000
>     auth        sufficient                                   pam_unix.so nullok
>     auth        required                                     pam_deny.so
>
>     account     required                                     pam_unix.so broken_shadow
>
>     password    requisite                                    pam_pwquality.so local_users_only
>     password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok nis
>     password    required                                     pam_deny.so
>
>     session     optional                                     pam_keyinit.so revoke
>     session     required                                     pam_limits.so
>     -session    optional                                     pam_systemd.so
>     session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
>     session     required                                     pam_unix.so
>
>     Pam service seems to be okay, ie if I provide the correct pass, it lets me through with both local and NIS
accounts:
>     % pamtester -v postgresql <localuser> authenticate
>     pamtester: invoking pam_start(postgresql, <localuser>, ...)
>     pamtester: performing operation - authenticate
>     Password:
>     pamtester: successfully authenticated
>
>     % pamtester -v postgresql <nisuser> authenticate
>     pamtester: invoking pam_start(postgresql, <nisuser>, ...)
>     pamtester: performing operation - authenticate
>     Password:
>     pamtester: successfully authenticated
>
>
>     Users exist in Postgres with login permission, required NIS daemons are up and running, tools like ypwhich or
ypcatare working fine. 
>     But when I try to connect to Postgres server using NIS account, authentication fails:
>     psql: error: connection to server at "<hostname>" (10.65.31.25), port 5432 failed: FATAL:  PAM authentication
failedfor user "<nisuser>" 
>
>     Server logs:
>     [52] DEBUG:  forked new backend, pid=564 socket=10
>     [564] DEBUG:  InitPostgres
>     [564] DEBUG:  my backend ID is 3
>     [564] DEBUG:  StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
>     [564] DEBUG:  shmem_exit(0): 4 before_shmem_exit callbacks to make
>     [564] DEBUG:  shmem_exit(0): 6 on_shmem_exit callbacks to make
>     [564] DEBUG:  proc_exit(0): 2 callbacks to make
>     [564] DEBUG:  exit(0)
>     [564] DEBUG:  shmem_exit(-1): 0 before_shmem_exit callbacks to make
>     [564] DEBUG:  shmem_exit(-1): 0 on_shmem_exit callbacks to make
>     [564] DEBUG:  proc_exit(-1): 0 callbacks to make
>     [52] DEBUG:  reaping dead processes
>     [52] DEBUG:  server process (PID 564) exited with exit code 0
>     [52] DEBUG:  forked new backend, pid=566 socket=10
>     [566] DEBUG:  InitPostgres
>     [566] DEBUG:  my backend ID is 3
>     [566] DEBUG:  StartTransaction(1) name: unnamed; blockState: DEFAULT; state: INPROGRESS, xid/subid/cid: 0/1/0
>     [566] DEBUG:  received password packet
>     [566] LOG:  pam_authenticate failed: Authentication failure
>     [566] FATAL:  PAM authentication failed for user "<nisuser>"
>     [566] DETAIL:  Connection matched pg_hba.conf line 105: "host    all             all             all             
      pam" 
>     [566] DEBUG:  shmem_exit(1): 4 before_shmem_exit callbacks to make
>     [566] DEBUG:  shmem_exit(1): 6 on_shmem_exit callbacks to make
>     [566] DEBUG:  proc_exit(1): 2 callbacks to make
>     [566] DEBUG:  exit(1)
>     [566] DEBUG:  shmem_exit(-1): 0 before_shmem_exit callbacks to make
>     [566] DEBUG:  shmem_exit(-1): 0 on_shmem_exit callbacks to make
>     [566] DEBUG:  proc_exit(-1): 0 callbacks to make
>     [52] DEBUG:  reaping dead processes
>     [52] DEBUG:  server process (PID 566) exited with exit code 1
>
>     Secure log:
>     <nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
>     <nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): conversation failed
>     <nisuser>[564]: psql 10.65.31.25(39990) authentication: pam_unix(postgresql:auth): auth could not identify
passwordfor [<nisuser>] 
>     <nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): username [<nisuser>] obtained
>     <nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): check pass; user unknown
>     <nisuser>[566]: psql 10.65.31.25(40004) authentication: pam_unix(postgresql:auth): authentication failure;
logname=uid=26 euid=26 tty= ruser= rhost=10.65.31.25 
>
>     All of this works fine for 'local' Linux accounts.
>
>     Am I missing something?
>
>     thanks,
>
>     --
>     wbr,
>         Andrey
>
>
>