Cant authenticate to LDAP domain with Redhat9

Rigler, Steve SRigler at MarathonOil.com
Wed Jul 7 20:28:45 UTC 2004 

You're looking at the right log file.

I've been trying to duplicate your problem on a spare machine
here and the only way I've been able to do it is if I rename
/lib/security/pam_ldap.so.  In this case, these are the
messages I get:

Jul  7 14:53:03 houuc9 sshd(pam_unix)[17393]: check pass; user unknown
Jul  7 14:53:03 houuc9 sshd(pam_unix)[17393]: authentication failure;
logname= u
id=0 euid=0 tty=NODEVssh ruser= rhost=houuc8
Jul  7 14:53:15 houuc9 sshd(pam_unix)[17393]: check pass; user unknown
Jul  7 14:53:19 houuc9 sshd(pam_unix)[17393]: check pass; user unknown
Jul  7 14:53:22 houuc9 sshd(pam_unix)[17393]: 2 more authentication
failures; lo
gname= uid=0 euid=0 tty=NODEVssh ruser= rhost=houuc8

I can still do "getent passwd" because I still have /lib/libnss_ldap*,
but obviosuly logins are broken.

So I'm wondering if this might be the case for you.  Do you have
/lib/security/pam_ldap.so?  And what does "rpm -V nss_ldap" 
give you?

-Steve

-----Original Message-----
From: redhat-list-bounces at redhat.com
[mailto:redhat-list-bounces at redhat.com] On Behalf Of Steven D. Haughton
Sent: Wednesday, July 07, 2004 11:45 AM
To: General Red Hat Linux discussion list
Subject: Re: Cant authenticate to LDAP domain with Redhat9

I added the debug line to my system-auth.  It now looks like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so debug 
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore 
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
debug

password    required      /lib/security/$ISA/pam_cracklib.so retry=3
type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so debug
use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so debug


This is the messages I get in /var/log/messages when I try logging in:

Jul  7 09:37:36 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul  7 09:37:36 blochee sshd(pam_unix)[19078]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blochee.ee.ucr.edu
Jul  7 09:37:52 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul  7 09:38:15 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul  7 09:38:27 blochee sshd(pam_unix)[19078]: 2 more authentication 
failures; logname= uid=0 euid=0 tty=NODEVssh ruser= 
rhost=blochee.ee.ucr.edu

It seems to me that no new information was outputed using the debug 
command...
Am I looking at the right log file?

On the machines that work I get this for "getent passwd" and "getent 
shadow":
I picked one user at random cause if I put "getent passwd" the list 
would be to long.

Computers that work in ldap:
[root at kona root]# getent shadow pfu
pfu:x:::::::0
[root at kona root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash

Computer that does not work in ldap:
[root at blochee root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash
[root at blochee root]# getent shadow pfu
pfu:x:::::::0

They are the same so it looks like it can read the ldap info ok.

--
Steven

More information about the redhat-list mailing list