PAM troubleshooting assistance
Joshua M. Miller
joshua at itsecureadmin.com
Thu May 10 17:30:30 UTC 2007
I have a problem authenticating to a Redhat 3.8 host via PAM, (pam_ldap)
and could use some pointers on continued troubleshooting.
I've recently upgraded OpenLDAP from 2.0.27 -> 2.3.34. I have ~100
hosts authenticating to this directory without any issues, the majority
of these hosts are CentOS 3/4 hosts.
The problem is with 2 RHEL 3.8 hosts -- they have the exact same
configuration as all of the other linux hosts (pushed via cfengine) and
yet they do not bind properly to obtain the userPassword attribute.
The basic flow that I see from the LDAP server for a successful bind:
1. Bind anonymously to obtain uid/homedirectory, etc
2. Bind anonymously to attempt to obtain userPassword -> fail
3. Bind as uid authenticating to obtain userPassword -> success
The 2 hosts that are failing do not perform step 3 and the login fails.
I thought the problem was related to nss_ldap but I have now come to
the point where the issue is inconsisten. The problem went away for a
day or two when I installed the CentOS nss_ldap RPM on the RHEL host but
when I restored the ACL this morning, the host stopped working.
The only logs that I see are access denied from pam_unix:
/var/log/messages
May 7 08:51:09 <host> sshd(pam_unix)[11294]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=host.example.org
May 7 08:51:15 <host> sshd(pam_unix)[11294]: check pass; user unknown
May 7 08:51:18 <host> sshd(pam_unix)[11294]: 1 more authentication
failure; logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=host.example.org
My /etc/pam.d/system-auth:
auth required /lib/security/$ISA/pam_env.so debug
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
debug
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
debug
auth required /lib/security/$ISA/pam_deny.so debug
account sufficient /lib/security/$ISA/pam_unix.so debug
account sufficient /lib/security/$ISA/pam_ldap.so debug
password required /lib/security/$ISA/pam_cracklib.so retry=3
type= debug
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow debug
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok debug
password required /lib/security/$ISA/pam_deny.so debug
session required /lib/security/$ISA/pam_limits.so debug
session required /lib/security/$ISA/pam_unix.so debug
session optional /lib/security/$ISA/pam_ldap.so debug
/etc/nsswitch.conf:
passwd: files ldap
shadow: files ldap
group: files ldap
Any ideas for continued troubleshooting?
Thanks,
--
Joshua M. Miller - RHCE,VCP
More information about the Pam-list
mailing list