Cant authenticate to LDAP domain with Redhat9

Steven D. Haughton shaughto at ee.ucr.edu
Wed Jul 7 16:45:03 UTC 2004 

I added the debug line to my system-auth.  It now looks like this:

#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so debug 
use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so
account     [default=bad success=ok user_unknown=ignore 
service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so debug

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok 
use_authtok md5 shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so debug use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so debug


This is the messages I get in /var/log/messages when I try logging in:

Jul  7 09:37:36 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul  7 09:37:36 blochee sshd(pam_unix)[19078]: authentication failure; 
logname= uid=0 euid=0 tty=NODEVssh ruser= rhost=blochee.ee.ucr.edu
Jul  7 09:37:52 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul  7 09:38:15 blochee sshd(pam_unix)[19078]: check pass; user unknown
Jul  7 09:38:27 blochee sshd(pam_unix)[19078]: 2 more authentication 
failures; logname= uid=0 euid=0 tty=NODEVssh ruser= 
rhost=blochee.ee.ucr.edu

It seems to me that no new information was outputed using the debug 
command...
Am I looking at the right log file?

On the machines that work I get this for "getent passwd" and "getent 
shadow":
I picked one user at random cause if I put "getent passwd" the list 
would be to long.

Computers that work in ldap:
[root at kona root]# getent shadow pfu
pfu:x:::::::0
[root at kona root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash

Computer that does not work in ldap:
[root at blochee root]# getent passwd pfu
pfu:x:15002:403:Peilin Fu:/home/eeres/pfu:/bin/bash
[root at blochee root]# getent shadow pfu
pfu:x:::::::0

They are the same so it looks like it can read the ldap info ok.

--
Steven

Rigler, Steve wrote:

>Copying over /etc/pam.d/sshd is bad advice and I wouldn't recommend it.
>Your individual /etc/pam.d/* files should be set up to reference 
>system-auth so that you won't have to go in and edit each one 
>individually.  This is why RedHat provides authconfig so that you
>can run one command which will change one file and everything else
>will know to reference it.
>
>Try adding "debug" as the first argument after each pam_ldap.so in your 
>system-auth and watch your messages file when you try to log in.
>
>What does "getent passwd" and "getent shadow" tell you on the machines
>that work?
>
>-Steve
>
>-----Original Message-----
>From: redhat-list-bounces at redhat.com
>[mailto:redhat-list-bounces at redhat.com] On Behalf Of shaughto at ee.ucr.edu
>Sent: Tuesday, July 06, 2004 10:47 PM
>To: General Red Hat Linux discussion list
>Subject: RE: Cant authenticate to LDAP domain with Redhat9
>
>Hi,
>
>Sorry for the late reply... Had two hard drives fail on the two
>different
>servers over the weekend. =(
>
>Well, I copied the pam.d/system-auth and I can log on as root, but not
>as
>any users.  So I still have the same problem.
>Here is my system-auth:
>
>#%PAM-1.0
># This file is auto-generated.
># User changes will be destroyed the next time authconfig is run.
>auth        required      /lib/security/$ISA/pam_env.so
>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
>auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
>auth        required      /lib/security/$ISA/pam_deny.so
>
>account     required      /lib/security/$ISA/pam_unix.so
>account     [default=bad success=ok user_unknown=ignore
>service_err=ignore
>system_err=ignore] /lib/security/$ISA/pam_ldap.so
>
>password    required      /lib/security/$ISA/pam_cracklib.so retry=3
>type=
>password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>use_authtok md5 shadow
>password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>password    required      /lib/security/$ISA/pam_deny.so
>
>session     required      /lib/security/$ISA/pam_limits.so
>session     required      /lib/security/$ISA/pam_unix.so
>session     optional      /lib/security/$ISA/pam_ldap.so
>session     optional      /lib/security/$ISA/pam_ldap.so
>
>
>And my nsswitch.conf has no references to shadow.
>Here is my etc/nsswitch.conf:
>
>#ident $Id: nsswitch.ldap,v 2.3 1999/04/13 22:56:43 lukeh Exp $
>#
># An example file that could be copied over to /etc/nsswitch.conf; it
># uses LDAP conjunction with files.
>#
># "hosts:" and "services:" in this file are used only if the
># /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
>transports.
>
># the following two lines obviate the "+" entry in /etc/passwd and
>/etc/group.
>passwd:         files ldap
>group:          files ldap
>
>
># consult DNS first, we will need it to resolve the LDAP host. (If we
># can't resolve it, we're in infinite recursion, because libldap calls
># gethostbyname(). Careful!)
>hosts:          files dns
>
># LDAP is nominally authoritative for the following maps.
>services:   files
>networks:   files
>protocols:  files
>rpc:        files
>ethers:     files
>
># no support for netmasks, bootparams, publickey yet.
>netmasks:   files
>bootparams: files
>publickey:  files
>automount:  files
>
># I'm pretty sure nsswitch.conf is consulted directly by sendmail,
># here, so we can't do much here. Instead, use bbense's LDAP
># rules ofr sendmail.
>aliases:    files
>sendmailvars:   files
>
># No one has written the LDAP support for netgroups yet, so we'll
># have to stick with NIS.
>netgroup:   ldap
>
>
>Any ideas.  Thanks.
>
>--
>Steven
>
>
>  
>
>>Your ldapsearch and getent look fine.  Do you have anything for
>>shadow in your nsswitch.conf?
>>
>>For the pam stuff, start by looking at your system-auth file.
>>This is how it looks on a RH9 box as configured by authconfig:
>>
>>#%PAM-1.0
>># This file is auto-generated.
>># User changes will be destroyed the next time authconfig is run.
>>auth        required      /lib/security/$ISA/pam_env.so
>>auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth
>>    
>>
>nullok
>  
>
>>auth        sufficient    /lib/security/$ISA/pam_ldap.so
>>    
>>
>use_first_pass
>  
>
>>auth        required      /lib/security/$ISA/pam_deny.so
>>
>>account     required      /lib/security/$ISA/pam_unix.so
>>account     [default=bad success=ok user_unknown=ignore
>>service_err=ignore system_err=ignore] /lib/security/$ISA/pam_ldap.so
>>
>>password    required      /lib/security/$ISA/pam_cracklib.so retry=3
>>type=
>>password    sufficient    /lib/security/$ISA/pam_unix.so nullok
>>use_authtok md5
>>shadow
>>password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
>>password    required      /lib/security/$ISA/pam_deny.so
>>
>>session     required      /lib/security/$ISA/pam_limits.so
>>session     required      /lib/security/$ISA/pam_unix.so
>>session     optional      /lib/security/$ISA/pam_ldap.so
>>
>>-Steve
>>
>>-----Original Message-----
>>From: redhat-list-bounces at redhat.com
>>[mailto:redhat-list-bounces at redhat.com] On Behalf Of Steven D.
>>    
>>
>Haughton
>  
>
>>Sent: Friday, July 02, 2004 11:01 AM
>>To: General Red Hat Linux discussion list
>>Subject: Re: Cant authenticate to LDAP domain with Redhat9
>>
>>Hi,
>>Thanks for the clarification.  Those authconfig files were bothering
>>    
>>
>me.
>  
>
>>Ok, I did an ldapsearch and getent and they work fine (from what I can
>>tell).
>>
>>Output:
>>
>>[root at blochee /]# ldapsearch -x -b "dc=ee,dc=ucr,dc=edu" uid=grad-adm
>>version: 2
>>
>>#
>># filter: uid=grad-adm
>># requesting: ALL
>>#
>>
>># grad-adm, People, ee, ucr, edu
>>dn: uid=grad-adm,ou=People,dc=ee,dc=ucr,dc=edu
>>uid: grad-adm
>>cn: Graduate Affairs
>>sn: Affairs
>>mail: grad-adm at ee.ucr.edu
>>labeledURI: http://www.ee.ucr.edu/~grad-adm
>>objectClass: inetOrgPerson
>>objectClass: posixAccount
>>objectClass: top
>>objectClass: shadowAccount
>>loginShell: /bin/bash
>>uidNumber: 30501
>>gidNumber: 402
>>homeDirectory: /home/eemisc/grad-adm
>>gecos: Graduate Affairs
>>
>># search result
>>search: 2
>>result: 0 Success
>>
>># numResponses: 2
>># numEntries: 1
>>[root at blochee /]# getent passwd grad-adm
>>grad-adm:x:30501:402:Graduate Affairs:/home/eemisc/grad-adm:/bin/bash
>>
>>Should I test ldapsearch with  some different commands?
>>Also I tried logging in on virtual consoles with no luck (only root
>>works). = (
>>You said that if ldapsearch and getent work then I should focus on
>>pam....
>>how would I go about testing pam?
>>
>>Thanks again for all your help.
>>
>>--
>>Steven
>>
>>
>>
>>
>>
>>--
>>redhat-list mailing list
>>unsubscribe mailto:redhat-list-request at redhat.com?subject=unsubscribe
>>https://www.redhat.com/mailman/listinfo/redhat-list
>>
>>
>>    
>>
>
>
>  
>

More information about the redhat-list mailing list