[Freeipa-users] Fedora 13 client login problems

Stephen Gallagher sgallagh at redhat.com
Mon Jun 28 18:12:43 UTC 2010 

On 06/28/2010 12:14 PM, Dan Scott wrote:
> Hello,
>
> I've just installed a new Fedora 13 client and configured it to use
> FreeIPA. During ipa-client install, I received the following error:
>
> nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf
> and /etc/krb5.conf appear to be configured correctly.
>
> I am unable to login to the machine. Here is an extract from /var/log/secure:
>
> Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from 192.168.1.35
> Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott
> Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown
> Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication
> failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com
> Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error
> retrieving information about user djscott
> Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user
> djscott from 192.168.1.35 port 50502 ssh2
>
> Here is the PAM configuration:
>
> [root at pc45 ~]# cat /etc/pam.d/sshd
> #%PAM-1.0
> auth       required     pam_sepermit.so
> auth       include      password-auth
> account    required     pam_nologin.so
> account    include      password-auth
> password   include      password-auth
> # pam_selinux.so close should be the first session rule
> session    required     pam_selinux.so close
> session    required     pam_loginuid.so
> # pam_selinux.so open should only be followed by sessions to be
> executed in the user context
> session    required     pam_selinux.so open env_params
> #session    optional     pam_keyinit.so force revoke
> session    include      password-auth
>
> [root at pc45 ~]# cat /etc/pam.d/password-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      pam_env.so
> auth        sufficient    pam_unix.so nullok try_first_pass
> auth        requisite     pam_succeed_if.so uid>= 500 quiet
> auth        sufficient    pam_krb5.so use_first_pass
> auth        required      pam_deny.so
>
> account     required      pam_unix.so broken_shadow
> account     sufficient    pam_localuser.so
> account     sufficient    pam_succeed_if.so uid<  500 quiet
> account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account     required      pam_permit.so
>
> password    requisite     pam_cracklib.so try_first_pass retry=3
> password    sufficient    pam_unix.so sha512 shadow nullok
> try_first_pass use_authtok
> password    sufficient    pam_krb5.so use_authtok
> password    required      pam_deny.so
>
> session     optional      pam_keyinit.so revoke
> session     required      pam_limits.so
> session     optional      pam_mkhomedir.so
> session     [success=1 default=ignore] pam_succeed_if.so service in
> crond quiet use_uid
> session     required      pam_unix.so
> session     optional      pam_krb5.so
> [root at pc45 ~]#
>
>
> Does anyone have any suggestions for why this is not working?
>

Fedora 13 is using nss-ldapd, not nss_ldap anymore. Probably ipa-client 
needs to be updated to modify /etc/nslcd.conf instead of /etc/ldap.conf.

In the meantime, you might have better luck configuring sssd instead of 
nss-ldap for user lookups.

man sssd.conf
man sssd-ldap


-- 
Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.
http://www.redhat.com/promo/vendor/

More information about the Freeipa-users mailing list