Copying over /etc/pam.d/sshd is bad advice and I wouldn't recommend it. Your individual /etc/pam.d/* files should be set up to reference system-auth so that you won't have to go in and edit each one individually. This is why RedHat provides authconfig so that you can run one command which will change one file and everything else will know to reference it. Try adding "debug" as the first argument after each pam_ldap.so in your system-auth and watch your messages file when you try to log in. What does "getent passwd" and "getent shadow" tell you on the machines that work? -Steve -----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of shaughto@xxxxxxxxxx Sent: Tuesday, July 06, 2004 10:47 PM To: General Red Hat Linux discussion list Subject: RE: Cant authenticate to LDAP domain with Redhat9 Hi, Sorry for the late reply... Had two hard drives fail on the two different servers over the weekend. =( Well, I copied the pam.d/system-auth and I can log on as root, but not as any users. So I still have the same problem. Here is my system-auth: #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so session optional /lib/security/$ISA/pam_ldap.so And my nsswitch.conf has no references to shadow. Here is my etc/nsswitch.conf: #ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $ # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports. # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap # consult DNS first, we will need it to resolve the LDAP host. (If we # can't resolve it, we're in infinite recursion, because libldap calls # gethostbyname(). Careful!) hosts: files dns # LDAP is nominally authoritative for the following maps. services: files networks: files protocols: files rpc: files ethers: files # no support for netmasks, bootparams, publickey yet. netmasks: files bootparams: files publickey: files automount: files # I'm pretty sure nsswitch.conf is consulted directly by sendmail, # here, so we can't do much here. Instead, use bbense's LDAP # rules ofr sendmail. aliases: files sendmailvars: files # No one has written the LDAP support for netgroups yet, so we'll # have to stick with NIS. netgroup: ldap Any ideas. Thanks. -- Steven > Your ldapsearch and getent look fine. Do you have anything for > shadow in your nsswitch.conf? > > For the pam stuff, start by looking at your system-auth file. > This is how it looks on a RH9 box as configured by authconfig: > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required /lib/security/$ISA/pam_env.so > auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok > auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass > auth required /lib/security/$ISA/pam_deny.so > > account required /lib/security/$ISA/pam_unix.so > account [default=bad success=ok user_unknown=ignore > service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so > > password required /lib/security/$ISA/pam_cracklib.so retry=3 > type= > password sufficient /lib/security/$ISA/pam_unix.so nullok > use_authtok md5 > shadow > password sufficient /lib/security/$ISA/pam_ldap.so use_authtok > password required /lib/security/$ISA/pam_deny.so > > session required /lib/security/$ISA/pam_limits.so > session required /lib/security/$ISA/pam_unix.so > session optional /lib/security/$ISA/pam_ldap.so > > -Steve > > -----Original Message----- > From: redhat-list-bounces@xxxxxxxxxx > [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Steven D. Haughton > Sent: Friday, July 02, 2004 11:01 AM > To: General Red Hat Linux discussion list > Subject: Re: Cant authenticate to LDAP domain with Redhat9 > > Hi, > Thanks for the clarification. Those authconfig files were bothering me. > Ok, I did an ldapsearch and getent and they work fine (from what I can > tell). > > Output: > > [root@blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm > version: 2 > > # > # filter: uid=grad-adm > # requesting: ALL > # > > # grad-adm, People, ee, ucr, edu > dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu > uid: grad-adm > cn: Graduate Affairs > sn: Affairs > mail: grad-adm@xxxxxxxxxx > labeledURI: http://www.ee.ucr.edu/~grad-adm > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: shadowAccount > loginShell: /bin/bash > uidNumber: 30501 > gidNumber: 402 > homeDirectory: /home/eemisc/grad-adm > gecos: Graduate Affairs > > # search result > search: 2 > result: 0 Success > > # numResponses: 2 > # numEntries: 1 > [root@blochee /]# getent passwd grad-adm > grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash > > Should I test ldapsearch with some different commands? > Also I tried logging in on virtual consoles with no luck (only root > works). = ( > You said that if ldapsearch and getent work then I should focus on > pam.... > how would I go about testing pam? > > Thanks again for all your help. > > -- > Steven > > > > > > -- > redhat-list mailing list > unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe > https://www.redhat.com/mailman/listinfo/redhat-list > > -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
