[Freeipa-users] Fedora 13 client login problems

Rob Crittenden rcritten at redhat.com
Tue Jul 6 17:54:24 UTC 2010 

Stephen Gallagher wrote:
> On 06/28/2010 12:14 PM, Dan Scott wrote:
>> Hello,
>>
>> I've just installed a new Fedora 13 client and configured it to use
>> FreeIPA. During ipa-client install, I received the following error:
>>
>> nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf
>> and /etc/krb5.conf appear to be configured correctly.
>>
>> I am unable to login to the machine. Here is an extract from 
>> /var/log/secure:
>>
>> Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from 192.168.1.35
>> Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user 
>> djscott
>> Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user 
>> unknown
>> Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication
>> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com
>> Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error
>> retrieving information about user djscott
>> Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user
>> djscott from 192.168.1.35 port 50502 ssh2
>>
>> Here is the PAM configuration:
>>
>> [root at pc45 ~]# cat /etc/pam.d/sshd
>> #%PAM-1.0
>> auth       required     pam_sepermit.so
>> auth       include      password-auth
>> account    required     pam_nologin.so
>> account    include      password-auth
>> password   include      password-auth
>> # pam_selinux.so close should be the first session rule
>> session    required     pam_selinux.so close
>> session    required     pam_loginuid.so
>> # pam_selinux.so open should only be followed by sessions to be
>> executed in the user context
>> session    required     pam_selinux.so open env_params
>> #session    optional     pam_keyinit.so force revoke
>> session    include      password-auth
>>
>> [root at pc45 ~]# cat /etc/pam.d/password-auth
>> #%PAM-1.0
>> # This file is auto-generated.
>> # User changes will be destroyed the next time authconfig is run.
>> auth        required      pam_env.so
>> auth        sufficient    pam_unix.so nullok try_first_pass
>> auth        requisite     pam_succeed_if.so uid>= 500 quiet
>> auth        sufficient    pam_krb5.so use_first_pass
>> auth        required      pam_deny.so
>>
>> account     required      pam_unix.so broken_shadow
>> account     sufficient    pam_localuser.so
>> account     sufficient    pam_succeed_if.so uid<  500 quiet
>> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
>> account     required      pam_permit.so
>>
>> password    requisite     pam_cracklib.so try_first_pass retry=3
>> password    sufficient    pam_unix.so sha512 shadow nullok
>> try_first_pass use_authtok
>> password    sufficient    pam_krb5.so use_authtok
>> password    required      pam_deny.so
>>
>> session     optional      pam_keyinit.so revoke
>> session     required      pam_limits.so
>> session     optional      pam_mkhomedir.so
>> session     [success=1 default=ignore] pam_succeed_if.so service in
>> crond quiet use_uid
>> session     required      pam_unix.so
>> session     optional      pam_krb5.so
>> [root at pc45 ~]#
>>
>>
>> Does anyone have any suggestions for why this is not working?
>>
> 
> Fedora 13 is using nss-ldapd, not nss_ldap anymore. Probably ipa-client 
> needs to be updated to modify /etc/nslcd.conf instead of /etc/ldap.conf.

I have a partial patch pending that should address this in v2. I'll need 
to clean things up and get it backported to v1.2 (bug 
https://bugzilla.redhat.com/show_bug.cgi?id=611858).

rob

> 
> In the meantime, you might have better luck configuring sssd instead of 
> nss-ldap for user lookups.
> 
> man sssd.conf
> man sssd-ldap
> 
>

More information about the Freeipa-users mailing list