ldap client ubuntu 8.04 password unchanged problem.

fahadaziz · 04-15-2010, 05:37 AM

Hello everyone,

I am getting a problem that whenever I loged in with my ldap user on a ldap client and try to change the password of ldap user it doesn't allow me to do so...

azizf@pc:~$ passwd
passwd: User not known to the underlying authentication module
passwd: password unchanged
azizf@pc:~$

tail /var/log/auth.log

Apr 15 12:31:53 pc passwd[21600]: pam_unix(passwd:chauthtok): user "azizf" does not exist in /etc/passwd.
-------------------------------------------------

while azizf is ldap user. I don't know how to troubleshoot this problem.

thanks,
Fahad Bin Aziz.

custangro · 04-16-2010, 01:55 PM

Quote:

Originally Posted by fahadaziz

Hello everyone,

I am getting a problem that whenever I loged in with my ldap user on a ldap client and try to change the password of ldap user it doesn't allow me to do so...

azizf@pc:~$ passwd
passwd: User not known to the underlying authentication module
passwd: password unchanged
azizf@pc:~$

tail /var/log/auth.log

Apr 15 12:31:53 pc passwd[21600]: pam_unix(passwd:chauthtok): user "azizf" does not exist in /etc/passwd.
-------------------------------------------------

while azizf is ldap user. I don't know how to troubleshoot this problem.

thanks,
Fahad Bin Aziz.

What does your /etc/nsswitch.conf look like?

fahadaziz · 04-17-2010, 10:22 AM

# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap
automount: ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Thanks
fahad

custangro · 04-17-2010, 11:23 AM

Quote:

Originally Posted by fahadaziz

# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

passwd: files ldap
group: files ldap
shadow: files ldap
automount: ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

Thanks
fahad

What is the output of..

Code:

root@host# getent passwd azizf 
root@host# grep azizf /etc/passwd

fahadaziz · 04-18-2010, 06:55 AM

root@host:~# getent passwd azizf
root@host:~# azizf:x:8185:136:Fahad Bin Aziz:/home/azizf:/bin/bash
-----------------------------------------------
root@host:~# grep azizf /etc/passwd
root@host:~#

It does not return any thing....
-----------------------------------------------

frndrfoe · 04-18-2010, 09:19 AM

Does your password section of common-auth or system-auth in /etc/pam.d/ have any calls to the ldap module?

fahadaziz · 04-19-2010, 05:49 AM

The output of /etc/pam.d/common-auth file is as follows

# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
#auth requisite pam_unix.so nullok_secure
#auth optional pam_smbpass.so migrate missingok

auth sufficient pam_ldap.so
auth required pam_unix.so use_first_pass nullok_secureroot@:host1/et

where host1 refers to the machine where ldap server is configured...

Thanks,
Fahad Bin Aziz.

frndrfoe · 04-19-2010, 01:46 PM

Is there no section that starts with "password"? Or is there a file called passwd in /etc/pam.d?

The file /etc/pam.d/sshd should be a good clue to what file is being addressed for password manipulation (perhaps something like "password include common-auth"), that is where you also need to have pam_ldap.so to be able to change ldap stored passwords.

fahadaziz · 04-20-2010, 07:07 AM

the output of passwd file....
__________________________________
root@host1:/etc/pam.d# cat passwd
#
# The PAM configuration file for the Shadow `passwd' service
#

@include common-password
---------------------------------------
The output of sshd file
________________________
root@host1:/etc/pam.d# cat sshd
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session optional pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password

-----------------------------------------------------------

frndrfoe · 04-20-2010, 12:59 PM

Quote:

# root@host1:/etc/pam.d# cat sshd
Standard Un*x password updating.
@include common-password

There is probably no call to pam_ldap.so in common-password.
Since you are running a Ubuntu system and I don't have one to check out, check this page for the common-password section. https://help.ubuntu.com/community/LD...Authentication

You can add all your password lines to sshd instead of using the include statement if you want to only effect that service.