Problem with solaris & FDS authentication

Gary_Tay at platts.com (Tay, Gary) · Wed, 31 Aug 2005 10:25:09 +0800

0) Make sure every time you restart /etc/init.d/ldap.client
(ldap_cachemgr), restart also the /etc/init.d/nscd (name service cache
daemon).

1) Make sure you define "CRYPT" as the default passwordStorageScheme in
LDAP DIT (right click cn=config and edit its properties).

2) Make sure you have these three lines in /var/ldap/ldap_client_file
and also in "default" profile in LDAP DIT?

NS_LDAP_SERVICE_SEARCH_DESC= passwd:
ou=People,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:
ou=group,dc=composers,dc=foo,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:
ou=People,dc=composers,dc=foo,dc=com?one

And there is a "shadow: files ldap" line in /etc/nsswitch.conf.

3) Make sure you restart SSH Server whenever there is a change in
/etc/ssh/sshd_config.

===
Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM:
Authentication failed for testdba from cnyitsun01.composers.foo.com Aug
30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no
legal authentication method configured ===
===

4) Did you install a binary version of OpenSSH Server with PAM support
or compile from source with an "./configure --with-pam" option?

To check if sshd is built with PAM support, run:

# ldd /usr/local/sbin/sshd

It should have something like "libpam.so,1" in it:
        libpam.so.1 =>   /usr/lib/libpam.so.1
        libdl.so.1 =>    /usr/lib/libdl.so.1
        libresolv.so.2 =>        /usr/lib/libresolv.so.2
        libcrypto.so.0.9.7 =>    /usr/local/ssl/lib/libcrypto.so.0.9.7
        librt.so.1 =>    /usr/lib/librt.so.1
        libz.so =>       /usr/lib/libz.so
        libsocket.so.1 =>        /usr/lib/libsocket.so.1
        libnsl.so.1 =>   /usr/lib/libnsl.so.1
        libc.so.1 =>     /usr/lib/libc.so.1
        libcmd.so.1 =>   /usr/lib/libcmd.so.1
        libgcc_s.so.1 =>         /usr/local/lib/libgcc_s.so.1
        libaio.so.1 =>   /usr/lib/libaio.so.1
        libmp.so.2 =>    /usr/lib/libmp.so.2
        /usr/platform/SUNW,Ultra-5_10/lib/libc_psr.so.1

5) The output of your "sshd -d" looks perfectly fine and it isn't what
you said "totally silent", the SSH Server is listening, as and when you
perform ssh connection from any host to the ssh server, you would see
more "debugging" messages appearing in this "interactive" mode, to exit,
press Ctrl-C to kill the debugging mode, note that after this sshd is no
more running.

6) For ssh client connection, do this way to see more:

$ ssh -v testdba at 192.85.86.87

Gary

-----Original Message-----
From: fedora-directory-users-bounces at redhat.com
[mailto:fedora-directory-users-bounces at redhat.com] On Behalf Of Igor
Sent: Wednesday, August 31, 2005 4:26 AM
To: General discussion list for the Fedora Directory server project.
Subject: RE: Problem with solaris & FDS
authentication

Gary, here's the output from /var/adm/messages:

Aug 30 16:17:38 unknown last message repeated 1 time
Aug 30 16:17:38 unknown sshd[1354]: [ID 800047 auth.error] error: PAM:
Authentication failed for testdba from cnyitsun01.composers.foo.com Aug
30 16:17:39 unknown sshd[1354]: [ID 316739 auth.error] pam_ldap: no
legal authentication method configured

What does that mean?  I took the pam.conf from the website you gave me
and commented out the lines, like you said:

login   auth requisite        pam_authtok_get.so.1      debug
login   auth required         pam_dhkeys.so.1   debug
#login   auth required         pam_unix_cred.so.1       debug
login   auth required         pam_dial_auth.so.1        debug
login   auth binding          pam_unix_auth.so.1 server_policy  debug
login   auth required         pam_ldap.so.1     debug

Also:

bash-2.03# getent passwd testdba
testdba::10001:7000::/home/testdba:/bin/bash

sshd -d is totally silent.  No output after startup:

bash-2.03#  /usr/local/sbin/sshd -d
debug1: sshd version OpenSSH_3.9p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
Disabling protocol version 1. Could not load host key
debug1: rexec_argv[0]='/usr/local/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

debug1: fd 5 clearing O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 10

--- "Tay, Gary" <Gary_Tay at platts.com> wrote:

> What is the output of "id testdba" and "getent passwd testdba"?
>  
> To use ldap auth for SSH Server, you must set these lines in
> /etc/ssh/sshd_config:
>  
> PasswordAuthentication yes
> ChallengeResponseAuthentication yes
> UsePAM yes

Yep, changed that!

Still (from the remote machine):

cnyitsun01/ > ssh testdba at 192.85.86.87
Password: 
LDAP Password: 
Password: 
LDAP Password: 

And it never lets me in.

____________________________________________________
Start your day with Yahoo! - make it your home page 
http://www.yahoo.com/r/hs 

--
Fedora-directory-users mailing list Fedora-directory-users at redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users