Re: Cant authenticate to LDAP domain with Redhat9

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I added the debug line to my system-auth.  It now looks like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so debug use_first_pass
auth required /lib/security/$ISA/pam_deny.so


account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so debug


password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so debug use_authtok
password required /lib/security/$ISA/pam_deny.so


session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so debug


This is the messages I get in /var/log/messages when I try logging in:

Jul 7 09:37:36 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:37:36 blochee sshd(pam_unix)[19078]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blochee.ee.ucr.edu
Jul 7 09:37:52 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:38:15 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:38:27 blochee sshd(pam_unix)[19078]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blochee.ee.ucr.edu


It seems to me that no new information was outputed using the debug command...
Am I looking at the right log file?


On the machines that work I get this for "getent passwd" and "getent shadow":
I picked one user at random cause if I put "getent passwd" the list would be to long.


Computers that work in ldap:
[root@kona root]# getent shadow pfu
pfu:x:::::::0
[root@kona root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash

Computer that does not work in ldap:
[root@blochee root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash
[root@blochee root]# getent shadow pfu
pfu:x:::::::0

They are the same so it looks like it can read the ldap info ok.

--
Steven

Rigler, Steve wrote:

Copying over /etc/pam.d/sshd is bad advice and I wouldn't recommend it.
Your individual /etc/pam.d/* files should be set up to reference system-auth so that you won't have to go in and edit each one individually. This is why RedHat provides authconfig so that you
can run one command which will change one file and everything else
will know to reference it.


Try adding "debug" as the first argument after each pam_ldap.so in your system-auth and watch your messages file when you try to log in.

What does "getent passwd" and "getent shadow" tell you on the machines
that work?

-Steve

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of shaughto@xxxxxxxxxx
Sent: Tuesday, July 06, 2004 10:47 PM
To: General Red Hat Linux discussion list
Subject: RE: Cant authenticate to LDAP domain with Redhat9

Hi,

Sorry for the late reply... Had two hard drives fail on the two
different
servers over the weekend. =(

Well, I copied the pam.d/system-auth and I can log on as root, but not
as
any users.  So I still have the same problem.
Here is my system-auth:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore
system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
session     optional      /lib/security/$ISA/pam_ldap.so


And my nsswitch.conf has no references to shadow. Here is my etc/nsswitch.conf:

#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports.

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd:         files ldap
group:          files ldap


# consult DNS first, we will need it to resolve the LDAP host. (If we # can't resolve it, we're in infinite recursion, because libldap calls # gethostbyname(). Careful!) hosts: files dns

# LDAP is nominally authoritative for the following maps.
services:   files
networks:   files
protocols:  files
rpc:        files
ethers:     files

# no support for netmasks, bootparams, publickey yet.
netmasks:   files
bootparams: files
publickey:  files
automount:  files

# I'm pretty sure nsswitch.conf is consulted directly by sendmail,
# here, so we can't do much here. Instead, use bbense's LDAP
# rules ofr sendmail.
aliases:    files
sendmailvars:   files

# No one has written the LDAP support for netgroups yet, so we'll
# have to stick with NIS.
netgroup:   ldap


Any ideas. Thanks.

--
Steven




Your ldapsearch and getent look fine.  Do you have anything for
shadow in your nsswitch.conf?

For the pam stuff, start by looking at your system-auth file.
This is how it looks on a RH9 box as configured by authconfig:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth


nullok


auth sufficient /lib/security/$ISA/pam_ldap.so


use_first_pass


auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok
use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so

-Steve

-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Steven D.


Haughton


Sent: Friday, July 02, 2004 11:01 AM
To: General Red Hat Linux discussion list
Subject: Re: Cant authenticate to LDAP domain with Redhat9

Hi,
Thanks for the clarification. Those authconfig files were bothering


me.


Ok, I did an ldapsearch and getent and they work fine (from what I can
tell).

Output:

[root@blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
version: 2

#
# filter: uid=grad-adm
# requesting: ALL
#

# grad-adm, People, ee, ucr, edu
dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
uid: grad-adm
cn: Graduate Affairs
sn: Affairs
mail: grad-adm@xxxxxxxxxx
labeledURI: http://www.ee.ucr.edu/~grad-adm
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/bash
uidNumber: 30501
gidNumber: 402
homeDirectory: /home/eemisc/grad-adm
gecos: Graduate Affairs

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
[root@blochee /]# getent passwd grad-adm
grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash

Should I test ldapsearch with  some different commands?
Also I tried logging in on virtual consoles with no luck (only root
works). = (
You said that if ldapsearch and getent work then I should focus on
pam....
how would I go about testing pam?

Thanks again for all your help.

--
Steven





--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list










--
redhat-list mailing list
unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe
https://www.redhat.com/mailman/listinfo/redhat-list

[Index of Archives]     [CentOS]     [Kernel Development]     [PAM]     [Fedora Users]     [Red Hat Development]     [Big List of Linux Books]     [Linux Admin]     [Gimp]     [Asterisk PBX]     [Yosemite News]     [Red Hat Crash Utility]


  Powered by Linux