Kelli Wolfe wrote: > > Hi all, > > I'm back to debugging my telnet not working with LDAP problem. > We're using RedHat 6.2, OpenLDAP 1.2.10, pam_ldap-70, nss_ldap-113. > > When I attempt to telnet from machine bb to aa, /var/log/messages > on the client machine (aa) looks like telnet is working, the > session is opened and the messages look the same as if I was > logging in at the console. Except the exit status 1 happens > immediately and I get "Connection closed by foreign host." > > Looking into the code for pam_pwdb, the function opening the > connection (pam_sm_open_session) has to be returning success. > So, I'm looking for what initially calls pam_sm_open_session. > Is it called directly from inetd? I'm trying to understand > how PAM gets integrated into the OS. This all PAM stuff called from /bin/login that is lanched by telnetd. The whole thing looks like there is some bug in login/pam/modules. I'd suggest you running strace on inetd (with -f) and attempt to login via telnet as you did already, and looking to strace output. For this, you can (in server machine, bb): # ps -C inetd <this will show pid of inetd process, it was 432 in your logs> # strace -o trc -p PID_OF_INETD -f <at this point, connect from aa as usual, and after that hit Ctrl-C here> # <now you have a rather big file called "trc"> The 'trc' file will be large... But it may show the trouble. (Note that it can also contain passwords, so be careful with that). If you will be unable to interpret it yourself, post it here (compressed), or directly to me (also compressed). But again, be careful with passwords that can be in that file (you can change 'em in that file before sending). > > I can login with an LDAP account or a system account at the console. > I cannot telnet with either account. > > /aa//var/log/messages > Sep 22 14:00:47 aa login: exiting pam_sm_acct_mgmt 0 > Sep 22 14:00:47 aa PAM_pwdb[9139]: (login) session opened for user josie by > (uid=0) > Sep 22 14:00:47 aa inetd[472]: pid 9138: exit status 1 > > /aa//etc/pam.d/login looks like this: > #%PAM-1.0 > auth required /lib/security/pam_securetty.so > auth required /lib/security/pam_nologin.so > auth sufficient /lib/security/pam_ldap.so > auth required /lib/security/pam_pwdb.so shadow use_first_pass > account sufficient /lib/security/pam_ldap.so > account required /lib/security/pam_pwdb.so > password required /lib/security/pam_cracklib.so > password sufficient /lib/security/pam_ldap.so use_authtok md5 > password required /lib/security/pam_pwdb.so shadow md5 use_authtok > use_first_pass > session required /lib/security/pam_pwdb.so > session required /lib/security/pam_limits.so > Regards, Michael.
