RE: Problem with pam_ldap

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello again,

 

I picked up on this again and noticed a strange behaviour…

 

Although getent returns correct data like:

[root@rh01 ~]# getent passwd | grep myuser

myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash

 

I can’t sudo …

[root@rh01 ~]# su - myuser

su: user myuser does not exist

 

So I am not sure this is PAM related… does anyone know where the problem might be?

 

Thank you,

Nuno

 

From: Nuno Manuel Martins
Sent: terça-feira, 8 de Abril de 2008 17:07
To: 'pam-list@xxxxxxxxxx'
Subject: Problem with pam_ldap

 

 

Hello,

 

I am currently using OpenLDAP for authentication and seems I’m having some troubles explaining PAM what it should be doing. I get this error when trying to login with an ldap user trough ssh:

 

Apr  8 16:38:16 rh01 sshd[11045]: debug1: userauth-request for user myuser service ssh-connection method password

Apr  8 16:38:16 rh01 sshd[11045]: debug1: attempt 1 failures 1

Apr  8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): check pass; user unknown

Apr  8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rh01.localdomain

Apr  8 16:38:17 rh01 sshd[11044]: pam_succeed_if(sshd:auth): error retrieving information about user myuser

Apr  8 16:38:19 rh01 sshd[11044]: debug1: PAM: password authentication failed for an illegal user: User not known to the underlying authentication module

Apr  8 16:38:19 rh01 sshd[11044]: Failed password for invalid user myuser from 127.0.0.1 port 42064 ssh2

 

So it seems he just doesn’t recognize the user (stored in LDAP directory). I had this working before but then I made some changes to try to make the pam files more readable and now they never got back to working … :)

 

Here is my system-auth file in /etc/pam.d

#%PAM-1.0

# This file is auto-generated.

# User changes will be destroyed the next time authconfig is run.

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    /lib/security/pam_ldap.so use_first_pass

auth        required      pam_deny.so

 

account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so

account     required      pam_permit.so

 

password    requisite     pam_cracklib.so try_first_pass retry=3

password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok

password    sufficient    /lib/security/pam_ldap.so use_authtok

password    required      pam_deny.so

 

session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      /lib/security/pam_ldap.so

 

And here is sshd file in the same directory

#%PAM-1.0

auth       sufficient      /lib/security/pam_ldap.so

auth       include      system-auth

account    sufficient      /lib/security/pam_ldap.so

account    required     pam_nologin.so

account    include      system-auth

password   required        /lib/security/pam_ldap.so

password   include      system-auth

 

session    sufficient      /lib/security/pam_ldap.so

 

password    sufficient    pam_unix.so ssha shadow nullok try_first_pass use_authtok

 

 

session    optional     pam_keyinit.so force revoke

session    include      system-auth

session    required     pam_loginuid.so

 

As part of the “file clean-up” I was only using the “include” directives but since it stopped working I reverted back to explicitly telling what module to use… still doesn’t work though. Can anyone see why SSH doesn’t even try to authenticate against the OpenLDAP directory?

 

Thank you,

Nuno

 

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux