Thread: pam authentication for postgres
I am trying to authenticate POstgres using Pam. How do I do this. I tried using webmin on RH9 and telling it to use Pam for authentication but it doesn't seem to work. Jason Tesser Web/Multimedia Programmer Northland Ministries Inc. (715)324-6900 x3050
Has no one done this :-( -----Original Message----- From: pgsql-general-owner@postgresql.org [mailto:pgsql-general-owner@postgresql.org]On Behalf Of Jason Tesser Sent: Monday, November 24, 2003 11:06 AM To: Pgsql (E-mail) Subject: [GENERAL] pam authentication for postgres I am trying to authenticate POstgres using Pam. How do I do this. I tried using webmin on RH9 and telling it to use Pam for authentication but it doesn't seem to work. Jason Tesser Web/Multimedia Programmer Northland Ministries Inc. (715)324-6900 x3050 ---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend
On Tue, Nov 25, 2003 at 02:29:05PM -0600, Jason Tesser wrote: > I am trying to authenticate POstgres using Pam. How do I do this. I > tried using webmin on RH9 and telling it to use Pam for authentication > but it doesn't seem to work. Try hacking the pg_hba.conf file. The documentation and the source both seem to imply that it should work ... No idea whether webmin handles it though; I prefer to manually edit the files. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "La conclusión que podemos sacar de esos estudios es que no podemos sacar ninguna conclusión de ellos" (Tanenbaum)
I did go back and edit the files manually. As far as I can tell it is entered correctly in the pg_hba.conf file -----Original Message----- From: Alvaro Herrera [mailto:alvherre@dcc.uchile.cl] Sent: Tuesday, November 25, 2003 3:08 PM To: Jason Tesser Cc: Pgsql (E-mail) Subject: Re: [GENERAL] pam authentication for postgres On Tue, Nov 25, 2003 at 02:29:05PM -0600, Jason Tesser wrote: > I am trying to authenticate POstgres using Pam. How do I do this. I > tried using webmin on RH9 and telling it to use Pam for authentication > but it doesn't seem to work. Try hacking the pg_hba.conf file. The documentation and the source both seem to imply that it should work ... No idea whether webmin handles it though; I prefer to manually edit the files. -- Alvaro Herrera (<alvherre[a]dcc.uchile.cl>) "La conclusión que podemos sacar de esos estudios es que no podemos sacar ninguna conclusión de ellos" (Tanenbaum)
On Tuesday 25 November 2003 21:13, Jason Tesser wrote: > I did go back and edit the files manually. As far as I can tell it is > entered correctly in the pg_hba.conf file Do you have a file set up on the pam side of things? Each service using pam should have a config file (in /etc/pam.d on redhat). What you should put in there, I can't say but a search for pam on the linux documentation project (http://tldp.org) will give you some howtos. -- Richard Huxton Archonet Ltd
<snip> OK I am still trying to get pam working here is the messages I have is the log from trying to log in Nov 26 08:55:16 localhost postgresql(pam_unix)[22693]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=cherring Nov 26 08:55:16 localhost pam_winbind[22693]: user 'cherring' granted acces as you can see winbind is actually granting access but fro some reason poasgres still denies it. weird. any ideas. the steps I have done are listed below
sorry for teh double posting I forgot the steps at the end OK I am still trying to get pam working here is the messages I have is the log from trying to log in Nov 26 08:55:16 localhost postgresql(pam_unix)[22693]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=cherring Nov 26 08:55:16 localhost pam_winbind[22693]: user 'cherring' granted acces as you can see winbind is actually granting access but fro some reason poasgres still denies it. weird. any ideas. the steps I have done are listed below > note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel, > or postgresql, but this setup is a safe, working, postgresql/linux/pam setup. > > 0) configure postgresql for pam, for example > > [root ( at ) omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf > host all all 137.75.0.0 255.255.0.0 pam > > 1) create a /etc/pam.d/postgresql entry, here's how i did mine > > [root ( at ) omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql > > i don't know if it's the best setup, but it works! mine looks like this > > [root ( at ) omega tmp]# cat /etc/pam.d/postgresql > #%PAM-1.0 > auth required /lib/security/pam_stack.so service=system-auth > account required /lib/security/pam_stack.so service=system-auth > password required /lib/security/pam_stack.so service=system-auth
Jason Tesser wrote:
>I did go back and edit the files manually. As far as I can tell it is entered
>correctly in the pg_hba.conf file
>
Follow the instructions in this article:
http://archives.postgresql.org/pgsql-advocacy/2003-05/msg00058.php
well, the quoted stuff ... anyway, I verified that it still works with
REL7_4_STABLE. Please note that you will not be able to use any
"trusted" PAM authentification based on userid or the like, since the
process doing the lookup is the database backend allways executing under
the PostgreSQL unix user.
Jan
>
>-----Original Message-----
>From: Alvaro Herrera [mailto:alvherre@dcc.uchile.cl]
>Sent: Tuesday, November 25, 2003 3:08 PM
>To: Jason Tesser
>Cc: Pgsql (E-mail)
>Subject: Re: [GENERAL] pam authentication for postgres
>
>
>On Tue, Nov 25, 2003 at 02:29:05PM -0600, Jason Tesser wrote:
>
>
>
>>I am trying to authenticate POstgres using Pam. How do I do this. I
>>tried using webmin on RH9 and telling it to use Pam for authentication
>>but it doesn't seem to work.
>>
>>
>
>Try hacking the pg_hba.conf file. The documentation and the source both
>seem to imply that it should work ... No idea whether webmin handles it
>though; I prefer to manually edit the files.
>
>
>
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck@Yahoo.com #
Jason, it seems you are unfamiliar with the basic rules of user support. If you try to filter as much as possible and only post the tiny snippets of information "you" think are important, the chances that someone else finds the point you overlooked are close to none. Please post a comprehensive description of what you're trying to do together with the configuration files you use. Jan Jason Tesser wrote: > sorry for teh double posting I forgot the steps at the end > > OK I am still trying to get pam working > > here is the messages I have is the log from trying to log in > > Nov 26 08:55:16 localhost postgresql(pam_unix)[22693]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=cherring > Nov 26 08:55:16 localhost pam_winbind[22693]: user 'cherring' granted acces > > as you can see winbind is actually granting access but fro some reason poasgres still denies it. > weird. any ideas. > > the steps I have done are listed below >> note: i'm no sysad, nor do i even pretend to understand pam, the linux kernel, >> or postgresql, but this setup is a safe, working, postgresql/linux/pam setup. >> >> 0) configure postgresql for pam, for example >> >> [root ( at ) omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf >> host all all 137.75.0.0 255.255.0.0 pam >> >> 1) create a /etc/pam.d/postgresql entry, here's how i did mine >> >> [root ( at ) omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql >> >> i don't know if it's the best setup, but it works! mine looks like this >> >> [root ( at ) omega tmp]# cat /etc/pam.d/postgresql >> #%PAM-1.0 >> auth required /lib/security/pam_stack.so service=system-auth >> account required /lib/security/pam_stack.so service=system-auth >> password required /lib/security/pam_stack.so service=system-auth > > ---------------------------(end of broadcast)--------------------------- > TIP 9: the planner will ignore your desire to choose an index scan if your > joining column's datatypes do not match -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com #
> Please post a comprehensive description of what you're trying to do > together with the configuration files you use. I thought I did that sorry. I am trying to get Postgres to authenticate through Pam so I can authenticate to Active Directory on our network. All the steps I took are posted below. If you notice the messages I pasted from my logs you will see that winbind is authenticating ok but for some reason Postgres still denies access. <snip> > > here is the messages I have is the log from trying to log in > > Nov 26 08:55:16 localhost postgresql(pam_unix)[22693]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=cherring > Nov 26 08:55:16 localhost pam_winbind[22693]: user 'cherring' granted acces > > as you can see winbind is actually granting access but fro some reason poasgres still denies it. > weird. any ideas. > <snip> postgresql/linux/pam setup. >> >> 0) configure postgresql for pam, for example >> >> [root ( at ) omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf >> host all all 137.75.0.0 255.255.0.0 pam >> >> 1) create a /etc/pam.d/postgresql entry, here's how i did mine >> >> [root ( at ) omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql >> >> i don't know if it's the best setup, but it works! mine looks like this >> >> [root ( at ) omega tmp]# cat /etc/pam.d/postgresql >> #%PAM-1.0 >> auth required /lib/security/pam_stack.so service=system-auth >> account required /lib/security/pam_stack.so service=system-auth >> password required /lib/security/pam_stack.so service=system-auth >
Jason Tesser wrote: >> Please post a comprehensive description of what you're trying to do >> together with the configuration files you use. > > I thought I did that sorry. I am trying to get Postgres to authenticate through Pam so I can authenticate to Active > Directory on our network. All the steps I took are posted below. If you notice the messages I pasted from my logs > you will see that winbind is authenticating ok but for some reason Postgres still denies access. How do you manage to get any pam_winbind messages into that if pam_stack is the only referenced module in your configuration? The stuff you quoted below is cut and pasted from the mail I sent to you. I suspect your actual config files look different. I suggest you follow the below description "to the point" until you have pam authentication using the "local unix" passwords (including the group membership for the postgresql user to read /etc/shadow). That is what worked for me on first try just by following that example. From that point on you know that postgres is using pam and you can muck about with the Active Directory link, because from there everything happens in the /etc/pam.d/postgresql file only. Jan > > <snip> >> >> here is the messages I have is the log from trying to log in >> >> Nov 26 08:55:16 localhost postgresql(pam_unix)[22693]: authentication failure; logname= uid=26 euid=26 tty= ruser= rhost= user=cherring >> Nov 26 08:55:16 localhost pam_winbind[22693]: user 'cherring' granted acces >> >> as you can see winbind is actually granting access but fro some reason poasgres still denies it. >> weird. any ideas. >> > <snip> postgresql/linux/pam setup. >>> >>> 0) configure postgresql for pam, for example >>> >>> [root ( at ) omega tmp]# grep pam /usr/local/pgsql/data/pg_hba.conf >>> host all all 137.75.0.0 255.255.0.0 pam >>> >>> 1) create a /etc/pam.d/postgresql entry, here's how i did mine >>> >>> [root ( at ) omega tmp]# cp /etc/pam.d/passwd /etc/pam.d/postgresql >>> >>> i don't know if it's the best setup, but it works! mine looks like this >>> >>> [root ( at ) omega tmp]# cat /etc/pam.d/postgresql >>> #%PAM-1.0 >>> auth required /lib/security/pam_stack.so service=system-auth >>> account required /lib/security/pam_stack.so service=system-auth >>> password required /lib/security/pam_stack.so service=system-auth >> > > > > > ---------------------------(end of broadcast)--------------------------- > TIP 5: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faqs/FAQ.html -- #======================================================================# # It's easier to get forgiveness for being wrong than for being right. # # Let's break this rule - forgive me. # #================================================== JanWieck@Yahoo.com #