I added the debug line to my system-auth. It now looks like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so debug use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so debug
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so debug use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so debug
This is the messages I get in /var/log/messages when I try logging in:
Jul 7 09:37:36 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:37:36 blochee sshd(pam_unix)[19078]: authentication failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blochee.ee.ucr.edu
Jul 7 09:37:52 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:38:15 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:38:27 blochee sshd(pam_unix)[19078]: 2 more authentication failures; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blochee.ee.ucr.edu
It seems to me that no new information was outputed using the debug command...
Am I looking at the right log file?
On the machines that work I get this for "getent passwd" and "getent shadow":
I picked one user at random cause if I put "getent passwd" the list would be to long.
Computers that work in ldap: [root@kona root]# getent shadow pfu pfu:x:::::::0 [root@kona root]# getent passwd pfu pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash
Computer that does not work in ldap: [root@blochee root]# getent passwd pfu pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash [root@blochee root]# getent shadow pfu pfu:x:::::::0
They are the same so it looks like it can read the ldap info ok.
-- Steven
Rigler, Steve wrote:
Copying over /etc/pam.d/sshd is bad advice and I wouldn't recommend it.
Your individual /etc/pam.d/* files should be set up to reference system-auth so that you won't have to go in and edit each one individually. This is why RedHat provides authconfig so that you
can run one command which will change one file and everything else
will know to reference it.
Try adding "debug" as the first argument after each pam_ldap.so in your system-auth and watch your messages file when you try to log in.
What does "getent passwd" and "getent shadow" tell you on the machines that work?
-Steve
-----Original Message----- From: redhat-list-bounces@xxxxxxxxxx [mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of shaughto@xxxxxxxxxx Sent: Tuesday, July 06, 2004 10:47 PM To: General Red Hat Linux discussion list Subject: RE: Cant authenticate to LDAP domain with Redhat9
Hi,
Sorry for the late reply... Had two hard drives fail on the two different servers over the weekend. =(
Well, I copied the pam.d/system-auth and I can log on as root, but not as any users. So I still have the same problem. Here is my system-auth:
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so session optional /lib/security/$ISA/pam_ldap.so
And my nsswitch.conf has no references to shadow. Here is my etc/nsswitch.conf:
#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $ # # An example file that could be copied over to /etc/nsswitch.conf; it # uses LDAP conjunction with files. # # "hosts:" and "services:" in this file are used only if the # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group. passwd: files ldap group: files ldap
# consult DNS first, we will need it to resolve the LDAP host. (If we # can't resolve it, we're in infinite recursion, because libldap calls # gethostbyname(). Careful!) hosts: files dns
# LDAP is nominally authoritative for the following maps. services: files networks: files protocols: files rpc: files ethers: files
# no support for netmasks, bootparams, publickey yet. netmasks: files bootparams: files publickey: files automount: files
# I'm pretty sure nsswitch.conf is consulted directly by sendmail, # here, so we can't do much here. Instead, use bbense's LDAP # rules ofr sendmail. aliases: files sendmailvars: files
# No one has written the LDAP support for netgroups yet, so we'll # have to stick with NIS. netgroup: ldap
Any ideas. Thanks.
-- Steven
nullokYour ldapsearch and getent look fine. Do you have anything for shadow in your nsswitch.conf?
For the pam stuff, start by looking at your system-auth file. This is how it looks on a RH9 box as configured by authconfig:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth
auth sufficient /lib/security/$ISA/pam_ldap.souse_first_pass
Haughtonauth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so account [default=bad success=ok user_unknown=ignore service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
password required /lib/security/$ISA/pam_cracklib.so retry=3 type= password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
-Steve
-----Original Message-----
From: redhat-list-bounces@xxxxxxxxxx
[mailto:redhat-list-bounces@xxxxxxxxxx] On Behalf Of Steven D.
me.Sent: Friday, July 02, 2004 11:01 AM To: General Red Hat Linux discussion list Subject: Re: Cant authenticate to LDAP domain with Redhat9
Hi,
Thanks for the clarification. Those authconfig files were bothering
Ok, I did an ldapsearch and getent and they work fine (from what I can tell).
Output:
[root@blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm version: 2
# # filter: uid=grad-adm # requesting: ALL #
# grad-adm, People, ee, ucr, edu dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu uid: grad-adm cn: Graduate Affairs sn: Affairs mail: grad-adm@xxxxxxxxxx labeledURI: http://www.ee.ucr.edu/~grad-adm objectClass: inetOrgPerson objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/bash uidNumber: 30501 gidNumber: 402 homeDirectory: /home/eemisc/grad-adm gecos: Graduate Affairs
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 [root@blochee /]# getent passwd grad-adm grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
Should I test ldapsearch with some different commands? Also I tried logging in on virtual consoles with no luck (only root works). = ( You said that if ldapsearch and getent work then I should focus on pam.... how would I go about testing pam?
Thanks again for all your help.
-- Steven
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list
-- redhat-list mailing list unsubscribe mailto:redhat-list-request@xxxxxxxxxx?subject=unsubscribe https://www.redhat.com/mailman/listinfo/redhat-list