Hi Folks,
I need urgent help or impulses to fix following problem:
Until yesterday I had got a working setup of an old Suse 10.2 Machine with running apache2 and several subversion repositories served using it.
This Server was a client of our NIS Server(OpenSuse 11.0) for authentication of the users. (And had running NIS Slave Server on itself)
An example apache configuration for one project is here:
<Location /repos/example_project>
AuthType Basic
AuthName “PAM”
DAV svn
SVNPath /repositories/example_project
AuthPAM_Enabled on
AuthBasicAuthoritative off
require valid-user
AuthzSVNAccessFile /etc/apache2/svnaccessfile.conf
</Location>
(In svnaccessfile reside the finer access configs for the project, good ol’ apache mod_auth_pam is used for system auth)
All worked fine.
For maintenance reasons and because I wanted to migrate the whole service to more recent versions I had to power off all
machines. Unfortunatly the NIS Server Machine didn’t recover after restart attempt.
So I reconfigured the apache + svn server machine to act also as new nis master.
Machines in the Network can use the new NIS Server as before.
But auth during svn access against the apache2 / svn server fails.
Logs:
/var/log/apache2/error_log:
[error] [client xx.yy.zz.vv] PAM: user ‘user_xyz’ - not authenticated: Permission denied
/var/log/warn:
Mar 30 13:12:15 server ypserv[2186]: refused connect from 127.0.0.1:44401 to procedure ypproc_match (bm,shadow.byname;-1)
Mar 30 13:12:15 server httpd2-prefork: pam_unix2(httpd:auth): conversation failed
/var/log/messages:
Mar 30 13:12:15 server ypserv[2186]: refused connect from 127.0.0.1:44401 to procedure ypproc_match (bm,shadow.byname;-1)
Mar 30 13:12:15 server httpd2-prefork: pam_unix2(httpd:auth): conversation failed
Mar 30 13:12:15 server httpd2-prefork: pam_unix(httpd:auth): authentication failure; logname= uid=30 euid=30 tty= ruser= rhost=
So it looks for me like the problem ist caused by apache user wwwrun not beeing able to query shadow maps…but it definetly should’nt be privileged to do so. It worked before an pam should handle that things after given the credentials.
I work on this part rather than setting up the new server because I had a working system shortly this way before and nearly changed nothing (accept the source of the nis server).
what could have changed? Is there an isolated option for ypserv i could have forgotten.
I know there is another more recent method doing things like this (authnz_external) with apache but it’s even more critical
to setup all a completly new way. I also tried this and got similar problems.
The error messages are slightly different.
Sorry for the bad english,
Josh