Re: sshd access for users in ldap - "Access denied for this service"

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sun, Mar 07, 2010 at 02:36:45PM -0500, ben thielsen wrote:
> when attempting to connect, it appears that the password is accepted but
> access is denied by the account portion of the config.  below is some
> output from ssh/sshd, the syslog auth facility, and my sshd pam config.
>  i'm hoping i might get some guidance on what i'm doing wrong.

<snip>

> debug1: do_pam_account: called
> debug3: PAM: sshpam_passwd_conv called with 1 messages
> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)

<snip>

> >egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd
> auth		required			pam_env.so # [1]
> auth		required			pam_env.so envfile=/etc/default/locale
> auth		[success=2 default=ignore]      pam_unix.so nullok_secure
> auth		[success=1 default=ignore]      pam_ldap.so use_first_pass
> auth		requisite                       pam_deny.so
> auth		required                        pam_permit.so

This implies that you've manually copied the contents of /etc/pam.d/common-*
into /etc/pam.d/sshd, instead of using the includes as-is.  Is there a
reason for this?

> account		required			pam_nologin.so
> account		[success=2 new_authtok_reqd=done default=ignore] pam_localuser.so #debug
> account		[success=1 default=ignore]      pam_ldap.so
> account		requisite                       pam_deny.so
> account		required                        pam_permit.so

Note that by omitting pam_unix here, sshd won't honor password expiry set
for any local accounts.

Have you tried adding 'debug' to the pam_ldap line here?  Was there any more
log output when the 'debug' option was passed to pam_localuser (which you
seem to have added, then commented out)?

The output and PAM config suggest the problem is most likely with the
pam_ldap module, but so far there's insufficient information to say what the
problem is.

-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
Ubuntu Developer                                    http://www.debian.org/
slangasek@xxxxxxxxxx                                     vorlon@xxxxxxxxxx

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list
[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux