[pam ldap] user console login
Todd Hunter-Gilbert
penguin at swcp.com
Thu Feb 24 20:19:20 UTC 2005
Hello all,
I've got a redhat 8 box I'm trying to make an ldap client. It is talking
to the server. From the client, I can do ldapsearch and other similar
commands.
On the client, I can log in as local user (i,e, root) in all normal
fashions. As a non-local user (non-priviledged user from ldap database),
I can log in via ssh. I cannot log in at console.
/var/log/messages gets few error lines when I attempt this. First is
"pam_tally: pam_get_uid; no such user todd"
Then "check pass; user unknown" (this is gdm(pam_unix))
then "authentication failure; logname= uid=0 euid=0 tty=:0 ruser=gdm
rhost=localhost" (this is gdm(pam_unix))
looking in /etc/pam.d I see:
gdm is identical to sshd except for one line (sshd requires pam_limits.so
for session). Everything else is kicked to system-auth.
system-auth goes like this (apologies for the shorthand, order preserved)
auth:
required pam_env.so
required pam_tally.so onerr=fail no_magic_root
sufficient pam_unix.so likeauth nullok
sufficient pam_ldap.so use_first_pass
required pam_deny.so
account:
required pam_unix.so remember 10
required pam_tally.so per_user deny=5 no_magic_root
sufficient pam_ldap.so (will remember work here?)
required pam_permit.so
password:
requisite pam_cracklib.so [with password restrictions that don't seem to
be taking effect, is "requisite" correct?]
sufficient pam_unix.so nullok use_authtok md5 shadow
sufficient pam_ldap.so use_authtok
required pam_deny.so
session:
required pam_limits.so
required pam_unix.so
optional pam_ldap.so
Can anybody see why console logins would be failing?
BTW, my pam versions are
pam-0.75-40
pam_smb-1.1.6-5
pam_krb5-1.56-1
pam-devel-0.75-40
Thanks in advance,
Todd Hunter-Gilbert
More information about the Pam-list
mailing list