LDAP / PAM -- Invalid Credentials Error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

Hello,
I am having a small issue with LDAP, and I hope someone here might be able to provide a few tips.
I am unable to authenticate as user 'testuser' on server 'storage' and the following errors appear in /var/log/messages on server 'storage' 

	Sep 19 16:56:17 storage sshd(pam_unix)[3124]: check pass; user unknown
Sep 19 16:56:17 storage sshd(pam_unix)[3124]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test-kja1 Sep 19 16:56:17 storage sshd[3124]: pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=example,dc=local" (Invalid credentials) 

I am also unable to issue this command:

	# passwd testuser
	passwd: Unknown user name 'testuser'.

but this command works fine:

	# finger testuser
	Login: testuser                            Name: Test User
	Directory: /home/testuser                  Shell: /bin/bash
	Never logged in.
	No mail.
	No Plan.
The server 'storage' is the LDAP host server, and there are about 9 other servers configured to use 'storage' to authenticate users. All 9 of them allow 'testuser' to login and also for him to change his password. 

Issuing this command:
# ldapsearch -x -b 'uid=testuser,ou=People,dc=example,dc=local' '(objectclass=*)' 


# extended LDIF
#
# LDAPv3
# base <uid=testuser,ou=People,dc=example,dc=local> with scope sub
# filter: (objectclass=*)
# requesting: ALL
#

# testuser, People, example.local
dn: uid=testuser,ou=People,dc=example,dc=local
uid: testuser
cn: Sean Cook
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 547
gidNumber: 500
homeDirectory: /home/testuser

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
I think the issue might be with PAM, because comparing all files I can think of doesnt point me to any differences except /etc/pam.d/ system-auth 

The LDAP server 'storage' has WINBIND turned on, as follows:

auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass 
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_winbind.so 
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow 
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    sufficient    /lib/security/$ISA/pam_winbind.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
And the server 'phoenix' (which allows 'testuser' to login fine) does not; 

# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so 
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow 
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
I tried disabling WINBIND but the issue still occurs even after restarting ldap and sshd. 

Please help!!


--
Von Landfried | System Administrator
Eye Street Software Corporation
1-888-252-2085 x 3052
von.landfried@xxxxxxxxxxxxx



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux