PAM Authentication Failure

[jjschwarz]

Describe the bug Attempting to use PAM to have the user authenticate with Kerberos. The pamtester command shows everything working, however when using the software I see a good authentication in the secure log file but a failure in the software for the same authentication

To Reproduce Steps to reproduce the behavior:

1. Install software with pam module
2. Setup Kerberos authentication for pam
3. Attempt to login

Expected behavior Expect a valid pam login to function

Screenshots, Log-Files, Stacktrace From /var/log/secure:

Dec 19 09:32:27 webproxy python3: pam_krb5[2799]: TGT verified using key for 'HTTP/webproxy.devtest.bugs.net@INSECT.COM'
Dec 19 09:32:27 webproxy python3: pam_krb5[2799]: authentication succeeds for 'jason' (jason@INSECT.COM)

From wsgidav:

09:32:27.152 - WARNING : pam.authenticate('jason', '<redacted>', 'wsgidav') failed with code 17: Failure setting user credentials
09:32:27.152 - WARNING : Authentication (basic) failed for user 'jason', realm 'PAM(wsgidav)'.
09:32:27.152 - DEBUG   : 401 Not Authorized for realm 'PAM(wsgidav)' (basic)
09:32:27.152 - INFO    : 192.168.255.14 - (anonymous) - [2023-12-19 14:32:27] "GET /" connection="keep-alive", agent="Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:120.0) Gecko/20100101 Firefox/120.0", elap=0.139sec -> 401 Not Authorized

Environment:

WsgiDAV/4.3.0 Python/3.6.8(64 bit) Linux-3.10.0-1160.49.1.el7.x86_64-x86_64-with-centos-7.9.2009-Core
Python from: /bin/python3

Which WSGI server was used (cheroot, ext-wsgiutils, gevent, gunicorn, paste, uvicorn, wsgiref, ...)? cheroot

Which WebDAV client was used (MS File Explorer, MS Office, macOS Finder, WinSCP, Windows, file mapping, ...)? Firefox

Additional context

PAM configuration for service:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        sufficient    pam_krb5.so try_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     optional      pam_krb5.so

[mar10]

Code 17 is PAM_CRED_ERR.

Not sure, what this means and what can go wrong here: https://github.com/mar10/wsgidav/blob/master/wsgidav/dc/pam_dc.py#L54

Maybe encoding problems with the password?

[jjschwarz]

So that is the part that has me stumped...if the password was the issue I would expect the PAM on the system side to fail, but as you can see from the log snippets the actual /var/log/secure side shows that the PAM authentication worked....so I am at a loss.

On Dec 21, 2023, at 3:58 PM, Martin Wendt @.***> wrote:

Code 17 is PAM_CRED_ERR.

Not sure, what this means and what can go wrong here: https://github.com/mar10/wsgidav/blob/master/wsgidav/dc/pam_dc.py#L54

Maybe encoding problems with the password?

— Reply to this email directly, view it on GitHub https://github.com/mar10/wsgidav/issues/309#issuecomment-1866922515, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABIBX4N5XGKM45NPWBODNH3YKSPFTAVCNFSM6AAAAABA3JB2ZGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNRWHEZDENJRGU. You are receiving this because you authored the thread.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.