NIS/System Auth + Apache + Subversion

Hi Folks,

I need urgent help or impulses to fix following problem:

Until yesterday I had got a working setup of an old Suse 10.2 Machine with running apache2 and several subversion repositories served using it.
This Server was a client of our NIS Server(OpenSuse 11.0) for authentication of the users. (And had running NIS Slave Server on itself)

An example apache configuration for one project is here:

<Location /repos/example_project>
AuthType Basic
AuthName “PAM”
DAV svn
SVNPath /repositories/example_project
AuthPAM_Enabled on
AuthBasicAuthoritative off
require valid-user
AuthzSVNAccessFile /etc/apache2/svnaccessfile.conf
</Location>

(In svnaccessfile reside the finer access configs for the project, good ol’ apache mod_auth_pam is used for system auth)
All worked fine.

For maintenance reasons and because I wanted to migrate the whole service to more recent versions I had to power off all
machines. Unfortunatly the NIS Server Machine didn’t recover after restart attempt.

So I reconfigured the apache + svn server machine to act also as new nis master.
Machines in the Network can use the new NIS Server as before.
But auth during svn access against the apache2 / svn server fails.

Logs:
/var/log/apache2/error_log:
[error] [client xx.yy.zz.vv] PAM: user ‘user_xyz’ - not authenticated: Permission denied

/var/log/warn:
Mar 30 13:12:15 server ypserv[2186]: refused connect from 127.0.0.1:44401 to procedure ypproc_match (bm,shadow.byname;-1)
Mar 30 13:12:15 server httpd2-prefork: pam_unix2(httpd:auth): conversation failed

/var/log/messages:
Mar 30 13:12:15 server ypserv[2186]: refused connect from 127.0.0.1:44401 to procedure ypproc_match (bm,shadow.byname;-1)
Mar 30 13:12:15 server httpd2-prefork: pam_unix2(httpd:auth): conversation failed
Mar 30 13:12:15 server httpd2-prefork: pam_unix(httpd:auth): authentication failure; logname= uid=30 euid=30 tty= ruser= rhost=

So it looks for me like the problem ist caused by apache user wwwrun not beeing able to query shadow maps…but it definetly should’nt be privileged to do so. It worked before an pam should handle that things after given the credentials.

I work on this part rather than setting up the new server because I had a working system shortly this way before and nearly changed nothing (accept the source of the nis server).
what could have changed? Is there an isolated option for ypserv i could have forgotten.

I know there is another more recent method doing things like this (authnz_external) with apache but it’s even more critical
to setup all a completly new way. I also tried this and got similar problems.
The error messages are slightly different.

Sorry for the bad english,

Josh

Googling on ypserv refused connect shadow turned this up:

NIS Notes

Does it help?

Hi,

thanks - but the problem seems not to be nis itself.
It works for ssh logins using pam but not for apache using pam.

I’ve done googling the error messages a while but don’t get even close to a resolution.
Don’t know at what side to look closer, is it the apache mod or is nis “a bit” broken.

j

/etc/nsswitch is:

passwd: compat files nis
group: compat files nis

hosts: files nis dns
networks: files dns

services: files nis
protocols: files
rpc: files nis
ethers: files
netmasks: files
netgroup: files
publickey: files

bootparams: files
automount: files
aliases: files
shadow: compat files nis

so it’s conform to the exported features by our ypserv

I got it to work on another machine (using same nis server) with more recent apache using the authnz_external module (from Index of /repositories/Apache:/Modules/Apache_openSUSE_11.2) and checkpassword-pam (checkpassword-pam).

this is no answer to my original question…and i fear next time i update something everything can be messed up again.

On the new Server,
in /etc/apache2/default-server.conf added:

AddExternalAuth pwauth /usr/bin/pwauth
AddExternalAuth checkpassword-pam “/usr/local/bin/checkpassword-pam -H --noenv --debug --stdout -s httpd – /bin/true”
SetExternalAuthMethod checkpassword-pam checkpassword
AddExternalGroup unixgroup /usr/bin/unixgroup
SetExternalGroupMethod unixgroup environment

In the /etc/apache2/conf/example_project.conf for the example Project:

<Location /repos/example_project>
AuthType Basic
AuthName “PAM”
DAV svn
SVNPath /repositories/example_project
AuthExternal checkpassword-pam
AuthBasicProvider external
require valid-user
AuthzSVNAccessFile /etc/apache2/svnaccessfile.conf
</Location>

apache modules (a2enmod -l):

actions alias auth_basic authn_file authz_host authz_groupfile authz_default authz_user autoindex cgi dir env expires include log_config mime negotiation setenvif ssl userdir php5 dav dav_fs auth_digest authnz_external dav_svn authz_svn

So I will maybe migrate my repositories to the this new server.

forgot … the /etc/pam.d/httpd is:

auth include common-auth
account include common-account
password include common-password
session include common-session