Re: sshd access for users in ldap - "Access denied for this service"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On Sun, Mar 07, 2010 at 02:36:45PM -0500, ben thielsen wrote:
> when attempting to connect, it appears that the password is accepted but
> access is denied by the account portion of the config.  below is some
> output from ssh/sshd, the syslog auth facility, and my sshd pam config.
>  i'm hoping i might get some guidance on what i'm doing wrong.


> debug1: do_pam_account: called
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)


> >egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
> auth		required # [1]
> auth		required envfile=/etc/default/locale
> auth		[success=2 default=ignore] nullok_secure
> auth		[success=1 default=ignore] use_first_pass
> auth		requisite             
> auth		required              

This implies that you've manually copied the contents of /etc/pam.d/common-*
into /etc/pam.d/sshd, instead of using the includes as-is.  Is there a
reason for this?

> account		required
> account		[success=2 new_authtok_reqd=done default=ignore] #debug
> account		[success=1 default=ignore]
> account		requisite             
> account		required              

Note that by omitting pam_unix here, sshd won't honor password expiry set
for any local accounts.

Have you tried adding 'debug' to the pam_ldap line here?  Was there any more
log output when the 'debug' option was passed to pam_localuser (which you
seem to have added, then commented out)?

The output and PAM config suggest the problem is most likely with the
pam_ldap module, but so far there's insufficient information to say what the
problem is.

Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                          
slangasek@xxxxxxxxxx                                     vorlon@xxxxxxxxxx

Attachment: signature.asc
Description: Digital signature

Pam-list mailing list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux