8 Replies Latest reply on Nov 24, 2007 7:43 AM by sohosys

    How to set up PAM with Kerberos on Linux?

    straffin Novice

      All,

       

      I've just set up VMWare Server 1.0.2 on a box running CentOS-64 4.4 (RHEL4 clone). I've configured Kerberos on the Host OS to allow local users to authenticate via their Kerberos password (i.e. "adduser johndoe" creates the user on the server but their password comes from the Kerberos server), but these users cannot log into the VMware Server Console. Full server-based users ("root" and a "vmware" user I created) can log in, but not the Kerb-Authenticated users.

       

      I'm assuming my solution lies somewhere in the /etc/vmware/pam.d/vmware-authd file, but I haven't found mention of this anywhere in the documentation aside from the "VMware Server for Linux uses Pluggable Authentication Modules" blurb in the Server Admin guide.

       

      Help?

       

      \- John

        • 1. Re: How to set up PAM with Kerberos on Linux?
          straffin Novice

          More info... it's likely a misplaced file issue... here's the pertinent log entries:

           

          Mar 26 11:41:58 tweedledee vmware-authd\[8031]: PAM unable to dlopen(/usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so)

          Mar 26 11:41:58 tweedledee vmware-authd\[8031]: PAM \[error: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so: cannot open shared object file: No such file or directory]

          Mar 26 11:41:58 tweedledee vmware-authd\[8031]: PAM adding faulty module: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so

          Mar 26 11:41:58 tweedledee vmware-authd\[8031]: PAM unable to dlopen(/lib/security/$ISA/pam_deny.so)

          Mar 26 11:41:58 tweedledee vmware-authd\[8031]: PAM \[error: /lib/security/../../lib/security/pam_deny.so: cannot open shared object file: No such file or directory]

          Mar 26 11:41:58 tweedledee vmware-authd\[8031]: PAM adding faulty module: /lib/security/$ISA/pam_deny.so

           

           

          (These repeat every 00:01:30)

          • 2. Re: How to set up PAM with Kerberos on Linux?
            straffin Novice

            Well, trying more stuff, I've installed the pam.i386 files, and the logs have changed, but no change in the results (no login for kerb'ed users).

             

            Mar 26 12:24:38 tweedledee xinetd\[3471]: START: vmware-authd pid=4453 from=xxx.xxx.xxx.xxx

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM unable to dlopen(/usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so)

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM \[dlerror: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so: cannot open shared object file: No such file or directory]

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM adding faulty module: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM unable to dlopen(/usr/lib/vmware/lib/libpam.so.0/security/pam_unix_auth.so)

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM \[dlerror: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_auth.so: symbol pam_syslog, version LIBPAM_EXTENSION_1.0 not defined in file libpam.so.0 with link time reference]

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM adding faulty module: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_auth.so

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM unable to dlopen(/usr/lib/vmware/lib/libpam.so.0/security/pam_unix_acct.so)

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM \[dlerror: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_acct.so: symbol pam_syslog, version LIBPAM_EXTENSION_1.0 not defined in file libpam.so.0 with link time reference]

            Mar 26 12:24:39 tweedledee vmware-authd\[4453]: PAM adding faulty module: /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_acct.so

            • 3. Re: How to set up PAM with Kerberos on Linux?
              straffin Novice

              Well nuts...

               

              Reading other threads and thinking I was onto something, I installed  pam_krb5.i386 (and deps) and now I can't log in at all. Great.

               

              Is anyone reading this besides me? 

               

              \- John

              • 4. Re: How to set up PAM with Kerberos on Linux?
                straffin Novice

                Okay... so I removed pam.i386 and pam_krb5.i386 (and deps) and I can log in again. Any help on the Kerberos issue?

                • 5. Re: How to set up PAM with Kerberos on Linux?
                  seschaef Novice

                  Hi!

                   

                  Did you add an "auth required" for the kerberos module to your /etc/pam.d/vmware-authd?

                   

                  Regards

                  Sebastian

                  1 person found this helpful
                  • 6. Re: How to set up PAM with Kerberos on Linux?
                    straffin Novice

                    Sebastian,

                     

                    Thanks for looking! 

                     

                    I had actually modified the /etc/vmware/pam.d/vmware-authd file to look like this:

                     

                    #%PAM-1.0

                    #auth       sufficient       %pamdir%/pam_unix2.so shadow nullok

                    auth    sufficient      /lib/security/pam_krb5.so

                    auth    sufficient      /lib64/security/pam_krb5.so

                    auth       required         %pamdir%/pam_unix_auth.so shadow nullok

                    #account    sufficient       %pamdir%/pam_unix2.so

                    account    required         %pamdir%/pam_unix_acct.so

                     

                     

                    I'll try changing the \*other* vmware-authd file.

                     

                    (Why on earth are there two?)

                     

                    \- John

                    • 7. Re: How to set up PAM with Kerberos on Linux?
                      straffin Novice

                      Changed the other vmware-authd file to look the same (commented out the pam_unix2 lines, added the pam_krb5 lines) with no change. Is "sufficient" sufficient, or is "required" required? 

                      • 8. Re: How to set up PAM with Kerberos on Linux?
                        sohosys Lurker

                         

                        Well, here is a very late reply to an issue I am sure you already solved, but for the benefit of thenext guy;

                         

                         

                        I had the same issue after configuring the linux server to authenticate users via kerberos. the /etc/pam.d/vmware-auth file had to be modifid to use the PAM module as follows;

                         

                         

                         

                        #%PAM-1.0

                        #auth       sufficient       /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so shadow nullok

                        #auth       required         /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_auth.so shadow nullok

                        #account    sufficient       /usr/lib/vmware/lib/libpam.so.0/security/pam_unix2.so

                        #account    required         /usr/lib/vmware/lib/libpam.so.0/security/pam_unix_acct.so

                         

                         

                        auth       sufficient       pam_stack.so service=system-auth

                        auth       required         pam_stack.so service=system-auth

                        account    sufficient       pam_stack.so service=system-auth

                        account    required         pam_stack.so service=system-auth