Package: libpam-modules Version: 1.1.1-6.1 Severity: normal --- Please enter the report below this line. --- Using debian squeeze. pwauth + libapache2-mod-authnz-external was configured to utilize PAM authentication in the webserver.
When pwauth try to access PAM, it only checks local users with basic configuration. -rwxr-sr-x 1 root shadow 6696 May 8 2009 /usr/sbin/pwauth When pwauth is set as u+s or run by root, it checks NIS. -rwsr-sr-x 1 root shadow 6696 May 8 2009 /usr/sbin/pwauth nis, libpam-modules, and pwauth seem to be related for this problem. However, pwauth successfully called pam_unix.so and unix_chkpwd. So, I suspect that unix_chkpwd may not check NIS when the caller is not root even though the group of the caller is shadow. Here is a part of /var/log/auth.log when it failed (pwauth is called by www- data) (zzz is the hostname, and xxx is the username) ----------------------------------------------------------------------------------------------- Jan 4 14:43:32 zzz pwauth: pam_succeed_if(pwauth:auth): requirement "user = www-data" was met by user "www-data" Jan 4 14:43:32 zzz unix_chkpwd[12377]: check pass; user unknown Jan 4 14:43:32 zzz unix_chkpwd[12377]: password check failed for user (xxx) Jan 4 14:43:32 zzz pwauth: pam_unix(pwauth:auth): authentication failure; logname= uid=33 euid=33 tty= ruser= rhost= user=xxx ------------------------------------------------------------------------------------------------ Sam. --- System information. --- Architecture: amd64 Kernel: Linux 2.6.32-5-amd64 Debian Release: squeeze/sid 500 testing security.debian.org 500 testing debian.osuosl.org 500 stable dl.google.com --- Package information. --- Package's Depends field is empty. Package's Recommends field is empty. Package's Suggests field is empty. -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
