Authentication only works for the user python is running as in Ubuntu Precise (vagrant VM)

[usernamenumber]

This may be due to something in my PAM config, but since as far as I know I'm using the default setup for Ubuntu Precise (I'm in a VM with Vagrant's default image for that OS), it seems worth posting here either way...

I am finding that python-pam can only successfully authenticate the user that python is running as. To illustrate, I created a testuser account, and can authenticate it when logged in as that user:

$ id
uid=1022(testuser) gid=1024(testuser) groups=1024(testuser)

$ python
Python 2.7.3 (default, Feb 27 2014, 19:58:35)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pam
>>> p = pam.pam()
>>> p.authenticate('testuser','testpw')
True

...but if I log in as another user and try the same thing, it fails:

$ id
uid=1000(vagrant) gid=1000(vagrant) groups=1000(vagrant),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),109(lpadmin),110(sambashare),999(admin)

$ python
Python 2.7.3 (default, Feb 27 2014, 19:58:35)
[GCC 4.6.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import pam
>>> p = pam.pam()
>>> p.authenticate('testuser','testpw')
False

Similarly, authenticating vagrant suceeds when logged in as vagrant, and fails when logged in as testuser .

If I log in as vagrant but start python with sudo -u testuser python, I go back to being able to authenticate testuser, but not vagrant.

Here's what I see in my auth.log when authentication fails (in this case, authenticating testuser while logged in as vagrant):

Jan  6 18:26:59 precise64 unix_chkpwd[19889]: check pass; user unknown
Jan  6 18:26:59 precise64 unix_chkpwd[19889]: password check failed for user (testuser)
Jan  6 18:26:59 precise64 python: pam_unix(login:auth): authentication failure; logname= uid=1000 euid=1000 tty= ruser= rhost=  user=testuser

Maybe unrelated, but I also see an error (and nothing else) on successful authentication:

Jan  6 18:27:54 precise64 python: pam_group(login:setcred): unable to set the group membership for user: Operation not permitted

Any idea what the problem might be?

[usernamenumber]

...oh, and thanks for making this! It has the potential to be very useful to me if I can get the kinks worked out! :)

[usernamenumber]

Hmm... this is probably telling: if I run python as root, I can authenticate anyone. Of course, I'd prefer to not have to be root to use this... is this the expected behavior?

EDIT: Looks like the answer to that question might be yes. Darn.

[FirefighterBlu3]

Make sure you have a pam config file (/etc/pam.d/foo) where 'foo' is the name of the service you need to run the authenticator as. aka, if i build python module that authenticates as apache service, then it needs to have /etc/pam.d/apache.

within your pam.d/foo config, you'll define the appropriate libraries from /lib/security/

without any pam_* declarations, pam won't attempt any privileged authentication switches and yes, somewhere in the origin you need to start as root. this includes things like sudo which has a suid bit on the sudo binary -- you would also need a suid bit.

[usernamenumber]

Ok, so the bottom line is if I'm using, say, pam_unix, then I just need to have something running as root, yes? That makes sense, and thanks very much for the quick response!

[FirefighterBlu3]

my pleasure, if you need anything else, please shout it out =)