Cant authenticate to LDAP domain with Redhat9
Steven D. Haughton
shaughto at ee.ucr.edu
Wed Jul 7 16:45:03 UTC 2004
I added the debug line to my system-auth. It now looks like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so debug
use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so
account [default=bad success=ok user_unknown=ignore
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so debug
password required /lib/security/$ISA/pam_cracklib.so retry=3 type=
password sufficient /lib/security/$ISA/pam_unix.so nullok
use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so debug use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so debug
This is the messages I get in /var/log/messages when I try logging in:
Jul 7 09:37:36 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:37:36 blochee sshd(pam_unix)[19078]: authentication failure;
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blochee.ee.ucr.edu
Jul 7 09:37:52 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:38:15 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul 7 09:38:27 blochee sshd(pam_unix)[19078]: 2 more authentication
failures; logname= uid=0 euid=0 tty=NODEVssh ruser=
rhost=blochee.ee.ucr.edu
It seems to me that no new information was outputed using the debug
command...
Am I looking at the right log file?
On the machines that work I get this for "getent passwd" and "getent
shadow":
I picked one user at random cause if I put "getent passwd" the list
would be to long.
Computers that work in ldap:
[root at kona root]# getent shadow pfu
pfu:x:::::::0
[root at kona root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash
Computer that does not work in ldap:
[root at blochee root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash
[root at blochee root]# getent shadow pfu
pfu:x:::::::0
They are the same so it looks like it can read the ldap info ok.
--
Steven
Rigler, Steve wrote:
>Copying over /etc/pam.d/sshd is bad advice and I wouldn't recommend it.
>Your individual /etc/pam.d/* files should be set up to reference
>system-auth so that you won't have to go in and edit each one
>individually. This is why RedHat provides authconfig so that you
>can run one command which will change one file and everything else
>will know to reference it.
>
>Try adding "debug" as the first argument after each pam_ldap.so in your
>system-auth and watch your messages file when you try to log in.
>
>What does "getent passwd" and "getent shadow" tell you on the machines
>that work?
>
>-Steve
>
>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of shaughto at ee.ucr.edu
>Sent: Tuesday, July 06, 2004 10:47 PM
>To: General Red Hat Linux discussion list
>Subject: RE: Cant authenticate to LDAP domain with Redhat9
>
>Hi,
>
>Sorry for the late reply... Had two hard drives fail on the two
>different
>servers over the weekend. =(
>
>Well, I copied the pam.d/system-auth and I can log on as root, but not
>as
>any users. So I still have the same problem.
>Here is my system-auth:
>
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth required /lib/security/$ISA/pam_env.so
>auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
>auth required /lib/security/$ISA/pam_deny.so
>
>account required /lib/security/$ISA/pam_unix.so
>account [default=bad success=ok user_unknown=ignore
>service_err=ignore
>system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
>password required /lib/security/$ISA/pam_cracklib.so retry=3
>type=
>password sufficient /lib/security/$ISA/pam_unix.so nullok
>use_authtok md5 shadow
>password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>password required /lib/security/$ISA/pam_deny.so
>
>session required /lib/security/$ISA/pam_limits.so
>session required /lib/security/$ISA/pam_unix.so
>session optional /lib/security/$ISA/pam_ldap.so
>session optional /lib/security/$ISA/pam_ldap.so
>
>
>And my nsswitch.conf has no references to shadow.
>Here is my etc/nsswitch.conf:
>
>#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
>#
># An example file that could be copied over to /etc/nsswitch.conf; it
># uses LDAP conjunction with files.
>#
># "hosts:" and "services:" in this file are used only if the
># /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
>transports.
>
># the following two lines obviate the "+" entry in /etc/passwd and
>/etc/group.
>passwd: files ldap
>group: files ldap
>
>
># consult DNS first, we will need it to resolve the LDAP host. (If we
># can't resolve it, we're in infinite recursion, because libldap calls
># gethostbyname(). Careful!)
>hosts: files dns
>
># LDAP is nominally authoritative for the following maps.
>services: files
>networks: files
>protocols: files
>rpc: files
>ethers: files
>
># no support for netmasks, bootparams, publickey yet.
>netmasks: files
>bootparams: files
>publickey: files
>automount: files
>
># I'm pretty sure nsswitch.conf is consulted directly by sendmail,
># here, so we can't do much here. Instead, use bbense's LDAP
># rules ofr sendmail.
>aliases: files
>sendmailvars: files
>
># No one has written the LDAP support for netgroups yet, so we'll
># have to stick with NIS.
>netgroup: ldap
>
>
>Any ideas. Thanks.
>
>--
>Steven
>
>
>
>
>>Your ldapsearch and getent look fine. Do you have anything for
>>shadow in your nsswitch.conf?
>>
>>For the pam stuff, start by looking at your system-auth file.
>>This is how it looks on a RH9 box as configured by authconfig:
>>
>>#%PAM-1.0
>># This file is auto-generated.
>># User changes will be destroyed the next time authconfig is run.
>>auth required /lib/security/$ISA/pam_env.so
>>auth sufficient /lib/security/$ISA/pam_unix.so likeauth
>>
>>
>nullok
>
>
>>auth sufficient /lib/security/$ISA/pam_ldap.so
>>
>>
>use_first_pass
>
>
>>auth required /lib/security/$ISA/pam_deny.so
>>
>>account required /lib/security/$ISA/pam_unix.so
>>account [default=bad success=ok user_unknown=ignore
>>service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>>
>>password required /lib/security/$ISA/pam_cracklib.so retry=3
>>type=
>>password sufficient /lib/security/$ISA/pam_unix.so nullok
>>use_authtok md5
>>shadow
>>password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>>password required /lib/security/$ISA/pam_deny.so
>>
>>session required /lib/security/$ISA/pam_limits.so
>>session required /lib/security/$ISA/pam_unix.so
>>session optional /lib/security/$ISA/pam_ldap.so
>>
>>-Steve
>>
>>-----Original Message-----
>>From: redhat-list-bounces at redhat.com
>>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Steven D.
>>
>>
>Haughton
>
>
>>Sent: Friday, July 02, 2004 11:01 AM
>>To: General Red Hat Linux discussion list
>>Subject: Re: Cant authenticate to LDAP domain with Redhat9
>>
>>Hi,
>>Thanks for the clarification. Those authconfig files were bothering
>>
>>
>me.
>
>
>>Ok, I did an ldapsearch and getent and they work fine (from what I can
>>tell).
>>
>>Output:
>>
>>[root at blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
>>version: 2
>>
>>#
>># filter: uid=grad-adm
>># requesting: ALL
>>#
>>
>># grad-adm, People, ee, ucr, edu
>>dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
>>uid: grad-adm
>>cn: Graduate Affairs
>>sn: Affairs
>>mail: grad-adm at ee.ucr.edu
>>labeledURI: http://www.ee.ucr.edu/~grad-adm
>>objectClass: inetOrgPerson
>>objectClass: posixAccount
>>objectClass: top
>>objectClass: shadowAccount
>>loginShell: /bin/bash
>>uidNumber: 30501
>>gidNumber: 402
>>homeDirectory: /home/eemisc/grad-adm
>>gecos: Graduate Affairs
>>
>># search result
>>search: 2
>>result: 0 Success
>>
>># numResponses: 2
>># numEntries: 1
>>[root at blochee /]# getent passwd grad-adm
>>grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
>>
>>Should I test ldapsearch with some different commands?
>>Also I tried logging in on virtual consoles with no luck (only root
>>works). = (
>>You said that if ldapsearch and getent work then I should focus on
>>pam....
>>how would I go about testing pam?
>>
>>Thanks again for all your help.
>>
>>--
>>Steven
>>
>>
>>
>>
>>
>>--
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>
>>
>>
>
>
>
>
More information about the redhat-list
mailing list