# Help understanding pam_mysql, pam_pgsql, and NSS... PLEASE!

## EnigmaedgE

Hey guys, 

I need a bit of help in trying understanding linux's PAM module structure so I can properly use pam_mysql and/or pam_pgsql (and if it's required for what I need to do, nss_{my|pg}sql), because apparently I don't know what I'm doing.

I just spend the last 2 days attempting to get pam_mysql to work, in order to get a centralized database for our usernames and I'm at my wit's end here.  It seems that I have pam_mysql set up correctly (in /etc/pam.d/login and system-auth), as so:

```
auth      optional     pam_mysql.so verbose=1 user=xxx passwd=xxx  db=xxx table=user usercolumn=xxx passwdcolumn=xxx crypt=2

account    required     pam_mysql.so verbose=1 user=xxx passwd=xxx  db=xxx table=user usercolumn=xxx passwdcolumn=xxx crypt=2
```

The database is set correctly because the debug messages come back as success, yet it won't let me go past the login/pw.  Then I tried going with the pam_pgsql route with similar parameters (but obviously, those are located in /etc/pam_pgsql.conf)

```
connectionstring = user=xxx password=xxx host=127.0.0.1 dbname=xxx

getpassword = SELECT password FROM users WHERE username = $1

changepw = UPDATE users SET password = $2 WHERE user = $1

isexpired = SELECT 1 FROM users WHERE user = $1 AND isexpired < NOW()

newpassrequired = SELECT 1 FROM users WHERE user = $1 AND newpass < NOW()

debug

pw_type=md5
```

 and the verbose output explicitly states that I have been authenticated, but again, does not let me get past the login/pw.

Am I not setting something up correctly?  Is there something else I should be configuring to login off of a DB?  Are there any other PAM modules I should be including/excluding? Or is this something that NSS needs to handle? Anyone have pam_mysql or pam_pgsql successfully installed?

Thanks for your help in advance!

----------

## velociphile

Hi,

From the age I assume that this is long-since solved by now - in which case maybe you could mark it [SOLVED] and put some info on the solution for others - but if it's still open, I'd guess you've got a problem with NSS.

Basically, PAM can authenticate that your user is who they say they are, but you need a second service to determine what that user should be able to actually do, e.g. can they login through a shell or just FTP? That service is NSS (Name Service Switch.) Without this, your logins will always fail, regardless of username/password.

I have 2 groups of users on a host I manage, admins who have shell access and standard pam_unix authentication (and using standard /etc/shadow file-based NSS) and a much larger group of shell-less FTP- and HTTPS-only users, authenticated through pam_mysql and NSS'd through nss_mysql. My admins use scripts to add/remove/modify the two mysql databases.

Emerge libnss-mysql, configure /etc/nsswitch.conf to use mysql, e.g.:

```

host: cat /etc/nsswitch.conf

...

passwd:      compat mysql

shadow:      compat mysql

group:       compat mysql

...

```

and /etc/libnss-mysql-root.cfg and /etc/libnss-mysql.cfg (these files are documented internally).

I hope that gives a hint of the right direction to look for anyone else suffering from this problem, as I did.

Tom

----------

