sshd access for users in ldap - "Access denied for this service"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



hi-

i'm having trouble getting things properly configured so users in ldap can log in via ssh.  i'm using pam 1.1.0 and the 0.6.11 nss-pam-ldapd stub library, both courtesy of ubuntu.

there are a small number of administrative users that exist in the local databases while the rest exist only in ldap.  i'm able to successfully log in when using a local user.

when attempting to connect, it appears that the password is accepted but access is denied by the account portion of the config.  below is some output from ssh/sshd, the syslog auth facility, and my sshd pam config.  i'm hoping i might get some guidance on what i'm doing wrong.

thanks
-ben

client ssh output:

>ssh flash@under
flash@under's password: 
Access denied for this service
Connection closed by 192.168.1.1

server sshd -Dddd output:

debug1: userauth-request for user flash service ssh-connection method password
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method password
debug3: mm_auth_password entering
debug3: mm_request_send entering: type 11
debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
debug3: mm_request_receive_expect entering: type 12
debug3: mm_request_receive entering
debug3: monitor_read: checking request 11
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug1: PAM: password authentication accepted for flash
debug3: mm_answer_authpassword: sending result 1
debug3: mm_request_send entering: type 12
debug3: mm_request_receive_expect entering: type 49
debug3: mm_request_receive entering
debug3: mm_auth_password: user authenticated
debug3: mm_do_pam_account entering
debug3: mm_request_send entering: type 49
debug3: mm_request_receive_expect entering: type 50
debug3: mm_request_receive entering
debug1: do_pam_account: called
debug3: PAM: sshpam_passwd_conv called with 1 messages
debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
debug3: mm_request_send entering: type 50
Failed password for flash from 192.168.1.123 port 54759 ssh2
debug3: mm_request_receive entering
debug3: mm_do_pam_account returning 0
debug1: userauth_send_banner: sent
Access denied for user flash by PAM account configuration
debug1: do_cleanup
debug3: PAM: sshpam_thread_cleanup entering
debug1: do_cleanup
debug1: PAM: cleanup
debug3: PAM: sshpam_thread_cleanup entering

syslog auth facility (/var/log/auth.log):
Mar  7 14:24:49 under sshd[16665]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ion.groundnoise.net  user=flash
Mar  7 14:24:49 under sshd[16665]: Failed password for flash from 192.168.1.123 port 54767 ssh2


>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
auth		required			pam_env.so # [1]
auth		required			pam_env.so envfile=/etc/default/locale
auth		[success=2 default=ignore]      pam_unix.so nullok_secure
auth		[success=1 default=ignore]      pam_ldap.so use_first_pass
auth		requisite                       pam_deny.so
auth		required                        pam_permit.so
account		required			pam_nologin.so
account		[success=2 new_authtok_reqd=done default=ignore] pam_localuser.so #debug
account		[success=1 default=ignore]      pam_ldap.so
account		requisite                       pam_deny.so
account		required                        pam_permit.so
session		[default=1]                     pam_permit.so
session		requisite                       pam_deny.so
session		required                        pam_permit.so
session		required                        pam_unix.so
session		optional                        pam_ldap.so no_warn
session		optional			pam_motd.so # [1]
session		optional			pam_mail.so standard noenv # [1]
session		required			pam_limits.so
password        required                        pam_passwdqc.so min=disabled,16,12,7,6 max=256
password        [success=2 default=ignore]      pam_unix.so obscure md5
password        [success=1 user_unknown=ignore default=die]     pam_ldap.so use_authtok try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux