hi- i'm having trouble getting things properly configured so users in ldap can log in via ssh. i'm using pam 1.1.0 and the 0.6.11 nss-pam-ldapd stub library, both courtesy of ubuntu. there are a small number of administrative users that exist in the local databases while the rest exist only in ldap. i'm able to successfully log in when using a local user. when attempting to connect, it appears that the password is accepted but access is denied by the account portion of the config. below is some output from ssh/sshd, the syslog auth facility, and my sshd pam config. i'm hoping i might get some guidance on what i'm doing wrong. thanks -ben client ssh output: >ssh flash@under flash@under's password: Access denied for this service Connection closed by 192.168.1.1 server sshd -Dddd output: debug1: userauth-request for user flash service ssh-connection method password debug1: attempt 1 failures 0 debug2: input_userauth_request: try method password debug3: mm_auth_password entering debug3: mm_request_send entering: type 11 debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD debug3: mm_request_receive_expect entering: type 12 debug3: mm_request_receive entering debug3: monitor_read: checking request 11 debug3: PAM: sshpam_passwd_conv called with 1 messages debug1: PAM: password authentication accepted for flash debug3: mm_answer_authpassword: sending result 1 debug3: mm_request_send entering: type 12 debug3: mm_request_receive_expect entering: type 49 debug3: mm_request_receive entering debug3: mm_auth_password: user authenticated debug3: mm_do_pam_account entering debug3: mm_request_send entering: type 49 debug3: mm_request_receive_expect entering: type 50 debug3: mm_request_receive entering debug1: do_pam_account: called debug3: PAM: sshpam_passwd_conv called with 1 messages debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure) debug3: mm_request_send entering: type 50 Failed password for flash from 192.168.1.123 port 54759 ssh2 debug3: mm_request_receive entering debug3: mm_do_pam_account returning 0 debug1: userauth_send_banner: sent Access denied for user flash by PAM account configuration debug1: do_cleanup debug3: PAM: sshpam_thread_cleanup entering debug1: do_cleanup debug1: PAM: cleanup debug3: PAM: sshpam_thread_cleanup entering syslog auth facility (/var/log/auth.log): Mar 7 14:24:49 under sshd[16665]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ion.groundnoise.net user=flash Mar 7 14:24:49 under sshd[16665]: Failed password for flash from 192.168.1.123 port 54767 ssh2 >egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_ldap.so use_first_pass auth requisite pam_deny.so auth required pam_permit.so account required pam_nologin.so account [success=2 new_authtok_reqd=done default=ignore] pam_localuser.so #debug account [success=1 default=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session required pam_unix.so session optional pam_ldap.so no_warn session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so password required pam_passwdqc.so min=disabled,16,12,7,6 max=256 password [success=2 default=ignore] pam_unix.so obscure md5 password [success=1 user_unknown=ignore default=die] pam_ldap.so use_authtok try_first_pass password requisite pam_deny.so password required pam_permit.so _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list