Problem with pam_ldap
Nuno Manuel Martins
nuno.mmartins_externo at sonae.com
Tue Apr 15 10:42:01 UTC 2008
Hello again,
I picked up on this again and noticed a strange behaviour...
Although getent returns correct data like:
[root at rh01 ~]# getent passwd | grep myuser
myuser:x:10002:10001:myUser (LDAP):/home/ldap/john:/bin/bash
I can't sudo ...
[root at rh01 ~]# su - myuser
su: user myuser does not exist
So I am not sure this is PAM related... does anyone know where the problem might be?
Thank you,
Nuno
From: Nuno Manuel Martins
Sent: terça-feira, 8 de Abril de 2008 17:07
To: 'pam-list at redhat.com'
Subject: Problem with pam_ldap
Hello,
I am currently using OpenLDAP for authentication and seems I'm having some troubles explaining PAM what it should be doing. I get this error when trying to login with an ldap user trough ssh:
Apr 8 16:38:16 rh01 sshd[11045]: debug1: userauth-request for user myuser service ssh-connection method password
Apr 8 16:38:16 rh01 sshd[11045]: debug1: attempt 1 failures 1
Apr 8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): check pass; user unknown
Apr 8 16:38:17 rh01 sshd[11044]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=rh01.localdomain
Apr 8 16:38:17 rh01 sshd[11044]: pam_succeed_if(sshd:auth): error retrieving information about user myuser
Apr 8 16:38:19 rh01 sshd[11044]: debug1: PAM: password authentication failed for an illegal user: User not known to the underlying authentication module
Apr 8 16:38:19 rh01 sshd[11044]: Failed password for invalid user myuser from 127.0.0.1 port 42064 ssh2
So it seems he just doesn't recognize the user (stored in LDAP directory). I had this working before but then I made some changes to try to make the pam files more readable and now they never got back to working ... :)
Here is my system-auth file in /etc/pam.d
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient /lib/security/pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient /lib/security/pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional /lib/security/pam_ldap.so
And here is sshd file in the same directory
#%PAM-1.0
auth sufficient /lib/security/pam_ldap.so
auth include system-auth
account sufficient /lib/security/pam_ldap.so
account required pam_nologin.so
account include system-auth
password required /lib/security/pam_ldap.so
password include system-auth
session sufficient /lib/security/pam_ldap.so
password sufficient pam_unix.so ssha shadow nullok try_first_pass use_authtok
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
As part of the "file clean-up" I was only using the "include" directives but since it stopped working I reverted back to explicitly telling what module to use... still doesn't work though. Can anyone see why SSH doesn't even try to authenticate against the OpenLDAP directory?
Thank you,
Nuno
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pam-list/attachments/20080415/291e9b22/attachment.htm>
More information about the Pam-list
mailing list