vmware pam.d how do i enable nis?

whysyn · 01-18-2008, 12:19 AM

I'm having nothing but a headache getting vmware's auth daemon to recognize NIS accounts. I've tried several things, but am coming up empty.

In the VMWare documentation, it states:

Quote:

The default installation of VMware Server uses standard Linux /etc/passwd authentication, but can be configured to use LDAP, NIS, Kerberos or another distributed authentication mechanism.

However it does not say how to do this.

My understanding of PAM is just enough to break it =)

The /etc/pam.d/vmware-authd file that installed with VMWare is:

Code:

#%PAM-1.0
auth       sufficient       /lib/security/pam_unix2.so shadow nullok
auth       required         /lib/security/pam_unix_auth.so shadow nullok
account    sufficient       /lib/security/pam_unix2.so
account    required         /lib/security/pam_unix_acct.so

Can somebody please help? I need to know how to change this to check NIS.

Thanks!

unSpawn · 01-19-2008, 09:28 AM

TS steps to configure NIS with the The Linux NIS(YP)/NYS/NIS+ HOWTO?

whysyn · 01-20-2008, 11:01 AM

Thanks for the link. Something just isn't fitting for me though...

The doc recommends pam_unix2.so, which I can't seem to find on my system.

I've tried the following after reading /usr/share/doc/pam-0.99.8.1/txts/README.pam_unix, but still no dice:

Code:

#%PAM-1.0
auth       required         pam_unix.so nis nullok debug
account    required         pam_unix.so nis nullok try_first_pass debug

When I try to access VM's as an NIS user, I still get the "Operation not permitted" message on the GUI, and the following in the vmware-serverd.log:

Code:

Jan 20 10:29:38: app| SP: Retrieved username: mjeasly
Jan 20 10:29:38: app| Failed to get password entry for : mjeasly. Reason: Success
Jan 20 10:29:38: app| impersonate Impersonate_Undo called when refCount == 0
Jan 20 10:29:38: app| SP: Retrieved username: mjeasly
Jan 20 10:29:38: app| Failed to get password entry for : mjeasly. Reason: Success
Jan 20 10:29:38: app| impersonate Impersonate_Undo called when refCount == 0
Jan 20 10:29:39: app| SP: Rejecting command base on path: : 2

On the stock pam config for vmware_authd, I get the same in vmware-serverd.log.

"Failed to get password entry ... Reason: Success" is particularly conbfusing...

unSpawn · 01-20-2008, 06:19 PM

pam_unix2 is ancient. Could you please first focus on making sure all main components of what NIS needs are installed on both server and client before moving on to checking configuration on both ends?

whysyn · 01-21-2008, 09:27 AM

NIS / NFS are fully installed, configured and functional. Console login, GDM login, ssh, FTP, etc all work properly with NIS accounts. To my (somewhat limited) knowledge, everything is settled except VMWare's authentication daemon.

The only reason I mentioned pam_unix2 is because that is used both in the PAM HOWTO and the default /etc/pam.d/vmware_authd. pam_unix2 is not being used in any other pam.d files.

Both systems are fully patched Fedora 8 systems from the official repositories, so I assume PAM and YP/NIS are relatively up to date.

If there is anything specific you'd like me to verify, please let me know where to look. As far as I can tell NIS seems to be working flawlessly with the exclusion of VMWare.

whysyn · 01-21-2008, 09:34 AM

Additional info:
PAM version is 0.99.8.1-10.fc8, packages installed:

Code:

[root@client ~]# yum list installed | grep pam
gnome-keyring-pam.x86_64                 2.20.2-1.fc8           installed
pam.x86_64                               0.99.8.1-10.fc8        installed
pam.i386                                 0.99.8.1-10.fc8        installed
pam-devel.i386                           0.99.8.1-10.fc8        installed
pam-devel.x86_64                         0.99.8.1-10.fc8        installed
pam_ccreds.x86_64                        4-3.fc8                installed
pam_ccreds.i386                          4-3.fc8                installed
pam_krb5.x86_64                          2.2.18-1               installed
pam_krb5.i386                            2.2.18-1               installed
pam_passwdqc.i386                        1.0.4-4                installed
pam_passwdqc.x86_64                      1.0.4-4                installed
pam_pkcs11.i386                          0.5.3-25               installed
pam_pkcs11.x86_64                        0.5.3-25               installed
pam_smb.x86_64                           1.1.7-7.2.2            installed
pam_smb.i386                             1.1.7-7.2.2            installed

PAM packages available:

Code:

[root@client ~]# yum list available | grep pam
gnome-keyring-pam.i386                   2.20.2-1.fc8           updates
mod_auth_pam.x86_64                      1.1.1-5.fc8            fedora
pam_abl.i386                             0.2.3-3.fc7            fedora
pam_abl.x86_64                           0.2.3-3.fc7            fedora
pam_fprint.i386                          0.2-2.fc8              updates
pam_fprint.x86_64                        0.2-2.fc8              updates
pam_keyring.i386                         0.0.9-1.fc8            fedora
pam_keyring.x86_64                       0.0.9-1.fc8            fedora
pam_mount.x86_64                         0.18-2.fc8             fedora
pam_mount.i386                           0.18-2.fc8             fedora
pam_ssh.i386                             1.92-6.fc8             updates
pam_ssh.x86_64                           1.92-6.fc8             updates
torque-pam.x86_64                        2.1.10-1.fc8           updates
torque-pam.i386                          2.1.10-1.fc8           updates

NIS/YP installation:

Code:

[root@client ~]# yum list installed | grep yp
yp-tools.x86_64                          2.9-2                  installed
ypbind.x86_64                            3:1.20.4-2.fc8         installed

unSpawn · 01-22-2008, 10:32 AM

It's weird since you say everyhting else works.
Does /etc/pam.d/vmware-authd pam_unix support the "audit" tag? Should be more informative compared to "debug".
You've shown vmserver log, what do system logs say wrt PAM? By any chance anything wrt SELinux in any logs?

whysyn · 01-22-2008, 10:51 AM

SELinux is running in permissive mode.

I will look at all updated logs and post relevant lines from another test login. To be sure, which /etc/pam.d/vmware_authd file should I try? The original? My hacked up two liner with pam_unix (substituting audit for debug, of course)? Something else?

Thanks again for all your help! I've gotten nary a response on the VMWare community boards...

whysyn · 01-22-2008, 11:12 AM

Using this in /etc/pam.d/vmware_authd:

Code:

#%PAM-1.0
auth       required         pam_unix.so nis nullok audit
account    required         pam_unix.so nis nullok try_first_pass audit

Causes the following logs:
/var/log/vmware/vmware-serverd.log

Code:

Jan 22 10:55:03: app| New connection on socket server-vmdb from host hostname.hmon.net (ip address: 127.0.0.1) , user: foouser
Jan 22 10:55:03: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:03: app| SP: New user session for user: foouser, pos: 2
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:04: app| SP: Failed to impersonate as : foouser
Jan 22 10:55:04: app| The vm-list file has changed! Reloading the list of registered vms
Jan 22 10:55:11: app| SP: Retrieved username: foouser
Jan 22 10:55:11: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:11: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:13: app| SP: Retrieved username: foouser
Jan 22 10:55:13: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:13: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:14: app| SP: Retrieved username: foouser
Jan 22 10:55:14: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:14: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:15: app| SP: Retrieved username: foouser
Jan 22 10:55:15: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:15: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:17: app| SP: Retrieved username: foouser
Jan 22 10:55:17: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:17: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:18: app| SP: Retrieved username: foouser
Jan 22 10:55:18: app| Failed to get password entry for : foouser. Reason: Success
Jan 22 10:55:18: app| impersonate Impersonate_Undo called when refCount == 0
Jan 22 10:55:19: app| SP: Rejecting command base on path: : 2

/var/log/messages:

Code:

Jan 22 10:55:01 hostname xinetd[7835]: START: vmware-authd pid=13271 from=127.0.0.1
Jan 22 10:55:03 hostname xinetd[7835]: EXIT: vmware-authd status=0 pid=13271 duration=3(sec)

/var/log/audit/audit.log:

Code:

type=USER_AUTH msg=audit(1200999303.691:77655): user pid=13271 uid=0 auid=4294967295 subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct=foouser exe="/usr/sbin/vmware-authd" (hostname=?, addr=?, terminal=? res=success)'
type=USER_ACCT msg=audit(1200999303.692:77656): user pid=13271 uid=0 auid=4294967295 subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct=foouser exe="/usr/sbin/vmware-authd" (hostname=?, addr=?, terminal=? res=success)'
type=CRED_ACQ msg=audit(1200999303.692:77657): user pid=13271 uid=0 auid=4294967295 subj=system_u:system_r:inetd_child_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct=foouser exe="/usr/sbin/vmware-authd" (hostname=?, addr=?, terminal=? res=success)'

unSpawn · 01-22-2008, 11:14 AM

Quote:

Originally Posted by whysyn

SELinux is running in permissive mode.

Was worth a try ;-p

Quote:

Originally Posted by whysyn

I will look at all updated logs and post relevant lines from another test login.

Reference material is always nice.

Quote:

Originally Posted by whysyn

To be sure, which /etc/pam.d/vmware_authd file should I try? The original? My hacked up two liner with pam_unix (substituting audit for debug, of course)?

I'd use your hacked up one, after all you only need one of auth and account to test with.

Quote:

Originally Posted by whysyn

Thanks again for all your help! I've gotten nary a response on the VMWare community boards...

Yeah, I saw that. And *they're* the ones that should know about everything VMware.

One other thing I'm thinking of is maybe run tcpdump or Wireshark as well during trials. See if anything does send or receive NIS packets when you try the PAM vmware_authd service.

whysyn · 01-22-2008, 12:39 PM

(You probably didn't get a notification on my post because you were replying while i typed it... just in case *BUMP*)

unSpawn · 01-23-2008, 07:37 PM

I'm subscribed to this thread so I should see it, NP. Let's try something completely different. Could you please change your PAM stack to auth against a working local unprivileged user account instead and see if you can get auth'ed?

whysyn · 01-24-2008, 10:00 AM

I'll be on site tonight (been working remotely all week so far).

I planned to set up a fresh server and test a fresh VMWare install without NIS. I'll post results tonight.

unSpawn · 01-27-2008, 09:09 AM

Any results fo far?

whysyn · 02-07-2008, 02:36 PM

Sorry for the delay... I had the baby, my wife, then myself sick.

When authenticating against a local account, using the default /etc/pam.d/vmware_authd, everything works fine.

At this point we're in production on three servers and are manually keeping the user accounts matched. I'll have to get my hands on a spare box to try more troubleshooting with NIS.