Обсуждение: PostgreSQL/PAM problem
Sorry if this comes a t a repost, but I never saw my original post appear in the list and deither did I get any answers...
======
I am trying to set up PAM-auth for a small testing system but I am stuck with a strange problem.
The system authenticates OK (both login and ssh can authenticate using the LDAP accounts) but trying to login to the same account to postgresql fails. I have setup a login role with the same name and authenticating against postgresql as that user works. my pg_hba.conf looks like this:
local all postgres
======
I am trying to set up PAM-auth for a small testing system but I am stuck with a strange problem.
The system authenticates OK (both login and ssh can authenticate using the LDAP accounts) but trying to login to the same account to postgresql fails. I have setup a login role with the same name and authenticating against postgresql as that user works. my pg_hba.conf looks like this:
local all postgres
ident sameuser
local all all ident sameuser
host all all 127.0.0.1/32 md5
host ip_cis nagios xx.116.13.224/27 md5
host ip_cis all xx.116.13.224/27 pam
I try to connect as:
psql -h cis.ipxxx.at -U tkircht -d ip_cis
My log (debug level 5) comes up with those lines even before I entered a password:
2009-07-08 21:28:06 CEST LOG: 00000: connection received: host=xx.116.13.253 port=47092
2009-07-08 21:28:06 CEST LOCATION: BackendInitialize, postmaster.c:3027
2009-07-08 21:28:06 CEST LOG: 00000: pam_authenticate failed: Permission denied
2009-07-08 21:28:06 CEST LOCATION: CheckPAMAuth, auth.c:1345
2009-07-08 21:28:06 CEST FATAL: 28000: PAM authentication failed for user "tkircht"
2009-07-08 21:28:06 CEST LOCATION: auth_failed, auth.c:1003
my pam stack looks (after many other attempts) like this:
auth sufficient pam_ldap.so
This suggests some problems accessing some pam-related file but I cannot imagine which one?
The server runs on Debian 5 by the way.
Any pointers would be highly appreciated - the PostgreSQL documentation is pretty thin on this..
Thanks!
Thomas
local all all ident sameuser
host all all 127.0.0.1/32 md5
host ip_cis nagios xx.116.13.224/27 md5
host ip_cis all xx.116.13.224/27 pam
I try to connect as:
psql -h cis.ipxxx.at -U tkircht -d ip_cis
My log (debug level 5) comes up with those lines even before I entered a password:
2009-07-08 21:28:06 CEST LOG: 00000: connection received: host=xx.116.13.253 port=47092
2009-07-08 21:28:06 CEST LOCATION: BackendInitialize, postmaster.c:3027
2009-07-08 21:28:06 CEST LOG: 00000: pam_authenticate failed: Permission denied
2009-07-08 21:28:06 CEST LOCATION: CheckPAMAuth, auth.c:1345
2009-07-08 21:28:06 CEST FATAL: 28000: PAM authentication failed for user "tkircht"
2009-07-08 21:28:06 CEST LOCATION: auth_failed, auth.c:1003
my pam stack looks (after many other attempts) like this:
auth sufficient pam_ldap.so
This suggests some problems accessing some pam-related file but I cannot imagine which one?
The server runs on Debian 5 by the way.
Any pointers would be highly appreciated - the PostgreSQL documentation is pretty thin on this..
Thanks!
Thomas
Thomas Kirchtag <tkircht@gmail.com> writes:
> 2009-07-08 21:28:06 CEST LOG: 00000: pam_authenticate failed: Permission
> denied
> 2009-07-08 21:28:06 CEST LOCATION: CheckPAMAuth, auth.c:1345
> This suggests some problems accessing some pam-related file but I cannot
> imagine which one?
Yeah, I'd guess the same. Perhaps strace would help determine which
file is inaccessible.
regards, tom lane
On Wed, Jul 15, 2009 at 2:39 AM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
Thomas Kirchtag <tkircht@gmail.com> writes:
> 2009-07-08 21:28:06 CEST LOG: 00000: pam_authenticate failed: Permission
> denied
> 2009-07-08 21:28:06 CEST LOCATION: CheckPAMAuth, auth.c:1345> This suggests some problems accessing some pam-related file but I cannotYeah, I'd guess the same. Perhaps strace would help determine which
> imagine which one?
file is inaccessible.
IIRC, you can only use PAM to authenticate against external services (i.e. LDAP / A.D. users). I *think* that in order to auth against local accounts, you need to be have a UID=0, which, PG does not.
--Scott