Re: [webmin-l] PAM Authentication

[Derrick K. <kr...@uc...>]

With the debuglog entry in I only get the following entries (tail -f /var/webmin/webmin.debug) in the log on a failed attempt:
 
START "script=session_login.cgi"
READ "/etc/webmin/miniserv.conf"
READ "/usr/libexec/webmin/blue-theme/config"
READ "/etc/webmin/custom-lang"
READ "/etc/sysconfig/network"
READ "/usr/libexec/webmin//defaultacl"
READ "/etc/webmin/.acl"
CMD "cmd=hostname"
CMD "cmd=hostname -f"
READ "/usr/libexec/webmin//module.info"
STOP "runtime=0"

Is there something else I need enabled?
 
Also, I agree to an extent about the data being visible to Linux.  I have my Webmin Unix authentication to leverage a group.  When I do just an account it is fine.  If I do a getent group <groupname> it exists but, no members.  If I run an ID <username> with the account I want to use and then do the getent group <groupname>, the group has the member and all works.
 
 I have the same issue open with the vendor (Likewise) but, I am caught because the PAM authentication is currently only not working with Webmin.  If I use the user and group in other configurations such as SSH or Apache with basic auth, they will work.  After authentication is successful in those services, I can run getent group <groupname> and it is populated with  the ID I just used.
 

>>> "Jamie Cameron" <jca...@we...> 10/3/2011 6:22 PM >>>

That "Non-existent login" message means that Webmin couldn't find the Unix user that you are trying to login as..

I assume you have NSS-LDAP setup to make active directory users visible to Linux? I wonder if perhaps your Linux system isn't getting groups from active directory as well.

One option to enable more debugging is to edit /etc/webmin/miniserv.conf and add the line debuglog=/var/webmin/miniserv.debug , then restart Webmin. Then you can check what gets logged to miniserv.debug after a failed login..

On 03/Oct/2011 14:17 Derrick Krieger <kr...@uc...> wrote ..

No OTP devices.
In /var/log/secure it records the ID that I attempted with and the right host IP.
<hostname> webmin[12553]: Non-existent login as <userid> from <valid ip>
If, at a shell prompt, I run the ID command with the user id I am testing with, it returns the id and the group memberships.  It will then work in webmin.  But, it is only temporary.
On the same system I tested, SSH and also Apache with mod_auth_pam and a custom .htaccess file to limit to the same group I have configured in webmin.  Without, "pre-caching" the ID, SSH and Apache work but, Webmin does not.  Once I run a command such as ID <userid>, then Webmin also works.

>>> "Jamie Cameron" <jca...@we...> 10/3/2011 3:36 PM >>>
On 03/Oct/2011 09:20 Derrick Krieger <kr...@uc...> wrote .. 


Hello all,
I am currently working on integrating Likewise Enterprise into our environment to authenticate all non-Windows systems to Active Directory.  I am having trouble getting webmin authentication to work though.  My issue is that webmin records "non-existent" user and fails logon.  If I first logon with the same account through SSH, and then try webmin, then webmin login works fine.  Both pam modules for ssh and webmin are configured the same and point to system-auth.  
The problem only seems to be an issue when I try to use "Members of a group.." and the group is an Active Directory domain group.  A domain user works fine, a local system user or group also works fine.  I can't seem to figure out how to turn on enough debugging to diagnose.
Any thoughts? Thanks.
Do you perhaps have any non-standard PAM authentication steps setup, such as requirements that the user use an OTP device?

Also, what gets logged to /var/log/authlog or /var/log/secure when the Webmin login fails?

 - Jamie