LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   PAM authentication failure (http://www.linuxquestions.org/questions/linux-newbie-8/pam-authentication-failure-690760/)

capibolso 12-15-2008 01:48 PM

PAM authentication failure
 
My PAM module seems to work right but it fails in authentication. Althought it can't authenticate, the session module works and the software who uses it executes well.

For example, when I login through "gdm" using pam to authenticate against an ldap server
/var/log/auth.log shows
Code:

pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=myuser
pam_unix(gdm:session): session opened for user myuser by (uid=0)

Any ideas?

F1Linux 05-01-2013 03:24 AM

LDAP not being consulted during PAM authentication
 
Hi capibolso-

It's clear that your LDAP server is not being consulted as a source of authentication by PAM. Below is a specimen of what you should be seeing in your logs if PAM is using LDAP:

May 1 08:06:48 ns1 sshd[32592]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=myComputer.f1linux.com user=myUsername
May 1 08:06:48 ns1 sshd[32592]: Accepted password for myUsername from 10.10.10.10 port 60069 ssh2
May 1 08:06:48 ns1 sshd[32592]: pam_unix(sshd:session): session opened for user myUsername
[/CODE]

The following are some HowTo's I bunged on my blog which you may find useful. Please note that the blog entries are geared towards more modern LDAP configurations and work with RHEL/CentOS 6+ . If you're using some ancient setup, you might find issues:

The first link details how to configure LDAP clients for PAM:

http://blog.f1linux.com/2013/04/21/h...oubleshooting/

And the next link details how to unpick LDAP errors. The LDAP queries have to wind through various parts of the system for everything to work correctly. The trick is, knowing at what point things are breaking:

http://blog.f1linux.com/2013/04/25/h...t-ldap-errors/

Hope this helps somebody out. LDAP is a monkey to be sure and it's really not been very well documented, hence my own efforts. LDAP is brilliant, but I can't believe how totally either absent, or just obtuse & unhelpful whatever has been written is.

-Terrence


All times are GMT -5. The time now is 10:00 AM.