[Fedora-directory-users] Unable to properly login with cached password using libpam-ccreds
Ryan Braun [ADS]
ryan.braun at ec.gc.ca
Tue Mar 10 14:57:54 UTC 2009
This isn't exactly fds specific, but I figure someone might have run into this
aswell here. I'm trying to setup my ldap clients to cache their passwords so
they are able to login if the network connection to the ldap servers go down.
All servers and clients are running etch.
But I'm having issues getting users to login successfully with a simulated
ldap outtage (just blocking outgoing port 389 with iptables). While the
network is connected, the ldap user newuser is able to ssh in just fine, I
can see that the user's password is cached properly using cc_dump and testing
with cc_test. I don't think it's a problem with me entering in the password
(its just 111111, as you can see with cc_test)
xxxxxx19:~/ldap# cc_dump
Credential Type User Service Cached Credentials
----------------------------------------------------------------------------------
Salted SHA1 newuser any
37955e15e8960ac751616ed1c631f18763806651
xxxxxx19:~/ldap# cc_test -validate any newuser 111111
pam_cc_validate_credentials: Success
xxxxxx19:~/ldap# cc_test -validate any newuser 11111a
pam_cc_validate_credentials: Authentication failure
The oddest part (which must point to pam issues methinks) is that the first
login attempt will always fail, while the second attempt will always work
xxxxxx19:~/ldap# ssh newuser at localhost
newuser at localhost's password:
Permission denied, please try again.
newuser at localhost's password:
You have been logged on using cached credentials.
Linux xxxxxx19 2.6.24-etchnhalf.1-686-bigmem #1 SMP Tue Dec 2 08:50:08 UTC
2008 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 27 14:28:36 2009 from localhost
newuser at xxxxxx19:~$
All cached nss functionality is there during ldap server downtime.
xxxxxx19:~/ldap# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:ldap
reject-with icmp-port-unreachable
xxxxx19:~/ldap# id newuser
uid=1000(newuser) gid=1000(cfwos-user) groups=1000(test-user)
xxxxxx19:~/ldap# grep newuser /etc/passwd
xxxxxx19:~/ldap#
I've installed the following packages on the clients
nss-updatedb
libnss-db
libpam-ccreds
libpam-ldap
libnss-ldap
ldap-utils
Here are my pam configs.
newuser at xxxxxx19:~$ grep -v ^# /etc/pam.d/common-*|strings
/etc/pam.d/common-account:
/etc/pam.d/common-account:
/etc/pam.d/common-account:account sufficient pam_unix.so nullok_secure
/etc/pam.d/common-account:account sufficient pam_ldap.so
/etc/pam.d/common-account:account required pam_permit.so
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:auth sufficient pam_unix.so
/etc/pam.d/common-auth:auth required pam_group.so use_first_pass
/etc/pam.d/common-auth:auth [authinfo_unavail=ignore success=1 default=die]
pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=validate
use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=store
use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=update
use_first_pass
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-password:password sufficient pam_ldap.so
ignore_unknown_user
/etc/pam.d/common-password:password required pam_unix.so nullok obscure
min=4 max=8 md5
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-session:session required pam_mkhomedir.so
skel=/etc/skel/ umask=0077
/etc/pam.d/common-session:session required pam_unix.so
/etc/pam.d/common-session:session optional pam_ldap.so
newuser at xxxxxx19:~$ grep -v ^# /etc/pam.d/login |strings
auth requisite pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
And the libnss/pam_ldap configs
xxxxxx19:~/ldap# vc /etc/libnss-ldap.conf
base dc=xxx,dc=xx,dc=xx,dc=xx
uri ldap://xxxsrvr0.xxx.xx.xx.xx
uri ldap://xxxsrvr1.xxx.xx.xx.xx
ldap_version 3
rootbinddn cn=directory manager
bind_timelimit 2
bind_policy soft
pam_check_host_attr yes
pam_password exop
tls_cacertdir /etc/ldap/cacerts
xxxxxx19:~/ldap# vc /etc/pam_ldap.conf
base dc=xxx,dc=xx,dc=xx,dc=xx
uri ldap://xxxsrvr0.xxx.xx.xx.xx
uri ldap://xxxsrvr1.xxx.xx.xx.xx
ldap_version 3
rootbinddn cn=directory manager
pam_check_host_attr yes
pam_password exop
ssl start_tls
tls_cacertdir /etc/ldap/cacerts
Here is the log contents from auth.log
xxxxxx19:/var/log# grep 28664 auth.log.work |grep -v nss_ldap
Feb 27 14:51:18 xxxxxx19 sshd[28664]: pam_ldap: ldap_starttls_s: Can't contact
LDAP server
Feb 27 14:51:20 xxxxxx19 sshd[28664]: Failed password for newuser from
xxx.xx.xxx.247 port 44489 ssh2
Feb 27 14:51:36 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Feb 27 14:51:44 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact
LDAP server
Feb 27 14:51:44 xxxxxx19 sshd[28664]: Accepted password for newuser from
xxx.xx.xxx.247 port 44489 ssh2
xxxxxx19:/var/log#
(without a whole bunch of messages from nss_ldap about not being able to find
the server)
Anyone have any ideas?
Ryan Braun
Informatics Operations
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: (204) 833-2500x2625 CSN: 257-2625 FAX: (204) 833-2524
E-Mail: Ryan.Braun at ec.gc.ca
More information about the Fedora-directory-users
mailing list