Hi,
I have an application that authenticates users, but it only works when run as root, and when it's told to use PAM (doesn't work when it's told to use shadow file).

Users other than root are not able to run the application to authenticate users by either using shadow (kind of understandable as it needs root to see shadow) or PAM. So, a non-root user is unable to run the application to authenticate users.

The application uses the 'login' service.

This is what uname -a looks like:

Linux kamet 2.6.16.21-0.8-xen #1 SMP Mon Jul 3 18:25:39 UTC 2006 i686 i686 i386 GNU/Linux

login file (/etc/pam.d/login) is as follows:

################
#%PAM-1.0
#auth required pam_securetty.so
auth include common-auth
auth required pam_nologin.so
account include common-account
password include common-password
session include common-session
session required pam_lastlog.so nowtmp
session required pam_resmgr.so
session optional pam_mail.so standard
################

common-auth (/etc/pam.d/common-auth) is as follows:

################
#
auth required pam_env.so debug
auth required pam_unix2.so debug
################

nsswitch.conf (/etc/nsswitch.conf) is as follows:

################
passwd: files nis
shadow: files nis
group: files
################

PAM debug looks like this for FAILED scenario (xxxx is the name of the tool) when run as non-root and using PAM:

Sep 26 17:37:07 kamet xxxx: pam_unix2(login:auth): pam_sm_authenticate() called
Sep 26 17:37:07 kamet xxxx: pam_unix2(login:auth): username=[patqa2]
Sep 26 17:37:07 kamet xxxx: pam_unix2(login:auth): wrong password, return PAM_AUTH_ERR

########

and PAM debug looks like this for SUCCESS scenario (xxxx is the name of the tool) when run as root and using PAM:

Sep 26 17:42:57 kamet xxxx: pam_unix2(login:auth): pam_sm_authenticate() called
Sep 26 17:42:57 kamet xxxx: pam_unix2(login:auth): username=[patqa2]
Sep 26 17:42:58 kamet xxxx: pam_unix2(login:auth): pam_sm_authenticate: PAM_SUCCESS
Sep 26 17:42:58 kamet xxxx: pam_unix2(login:account): pam_sm_acct_mgmt() called
Sep 26 17:42:58 kamet xxxx: pam_unix2(login:account): username=[patqa2]
Sep 26 17:42:58 kamet xxxx: pam_unix2(login:account): expire() returned with 0

######

Quite obviously, the password is perfectly correct, and /etc/shadow has it as follows (patqa2 being the user name):
patqa2:$2a$10$AmVIpmoeKbGjeRUpMNxk2OVJWSnJRezLv3rH3o7oVFPeVHRCEr1hq:13782:0:99999:7:::

########

THE BIG QUESTION:
What's going on?
Any help would be greatly appreciated as I'm not really sure what's going on with this!
The tool is owned by the user patqa2.

Thanks much in advance.
Regards,
Sesh

hmm well if file doesnt have a permissions to access your PAM auth file then it will fail, it is like shadow file in this case, you have passwd(644)file that has read access for everybody so any script can view it, and then passwd itself is owned by root, has a permission to access shadow. so i assume you should have same schema here, or what you can try to do is to change permissions for your PAM to 644 so it can be read by all users...

hope that helps

That's not it...is there a limitation with SuSE that it won't let people use non-root (with setuid bit set) applications to use PAM effectively?

I have the same application on RH 5.0 that works fine (as also Solaris, HP, AIX - with PAM-Kerberos...)

Thanks.