LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices



Reply
 
Search this Thread
Old 06-01-2007, 05:44 AM   #1
Di@Blo
LQ Newbie
 
Registered: Jun 2007
Posts: 3

Rep: Reputation: 0
Unable to login using ldap accounts


Hi,

The installed OS Red Hat Enterprise Linux ES release 4 (Nahant Update 1).

Currently there is a problem when trying to login using linux accounts defined on the LDAP.

Logging in as root and trying su -l <user> doesn't change anything.

The setup of this server is the same as several other servers, and there not having this issue. So it's doubtful there is an issue on the LDAP server.

Message shown when trying to su to other user :

[root]# su -l bkr
su: incorrect password

when trying ssh it results in this

[root]# ssh -l bkr localhost
bkr@localhost's password:
Permission denied, please try again.

A user I created locally works without issue.

The command
$getent passwd

shows me all the available accounts, and
$id <user>
will show me all the user and group information.

This tells me that even though logging in doesn't work the ldap can be contacted correctly to extract all this information.

I was thinking it might be a pam configuration issue, but I'm not finding any errors in the
/etc/pam.d/system-auth. But please correct me if I'm wrong.

cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_krb5.so use_first_pass
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so

account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_krb5.so
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_winbind.so
account required /lib/security/$ISA/pam_permit.so

password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_krb5.so use_authtok
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password sufficient /lib/security/$ISA/pam_winbind.so use_authtok
password required /lib/security/$ISA/pam_deny.so

session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_krb5.so
session optional /lib/security/$ISA/pam_ldap.so

also /etc/pam.d/login looks fine

cat /etc/pam.d/login
#%PAM-1.0
auth required pam_securetty.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_stack.so service=system-auth
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should be the last session rule
session required pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_selinux.so open

session required /lib/security/pam_limits.so

strace doesn't reveal to much good information for me to. I've attachement the last part of the strace output since I hope the problem will show up there.

snip "
shutdown(5, 2 /* send and receive */) = 0
close(5) = 0
munmap(0x11b000, 13204) = 0
munmap(0x11f000, 101700) = 0
snip "

this message is repeated 50 time's or so

snip "
munmap(0x119000, 5892) = 0
open("/usr/share/locale/locale.alias", O_RDONLY) = 5
fstat64(5, {st_mode=S_IFREG|0644, st_size=2528, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7de6000
read(5, "# Locale name alias data base.\n#"..., 4096) = 2528
read(5, "", 4096) = 0
close(5) = 0
munmap(0xb7de6000, 4096) = 0
open("/usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en_US/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/en/LC_MESSAGES/coreutils.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
write(2, "su: ", 4su: ) = 4
write(2, "incorrect password", 18incorrect password) = 18
write(2, "\n", 1
) = 1
exit_group(1) = ?

snip"

I've already re-installed/Updated the most related software packages, to fix any possible corruption of the binaries installed but no luck so far.

Packages re-installed

nss_ldap-226-10.i386.rpm
coreutils-5.2.1-31.2.i386.rpm
pam_krb5-2.1.8-1.i386.rpm
pam-0.77-66.14.i386.rpm
pam-devel-0.77-66.14.i386.rpm
audit-libs-1.0.12-1.EL4.i386.rpm

Anybody got some fresh ideas of what I could check to fix this problem?
Or where to look next ?


Regards,

Kristof

--
We are Microsoft. What you are experiencing is not a problem; it is an undocumented feature.
 
Old 06-02-2007, 01:11 AM   #2
paul_mat
Member
 
Registered: Nov 2004
Location: Townsville, Australia
Distribution: Fedora Core 5, CentOS 4, RHEL 4
Posts: 855

Rep: Reputation: 30
I've got a how-to written on my website about using ldap clients, it might be helpful to read over.

http://www.opensourcehowto.org/how-t...ap-server.html
 
Old 06-08-2007, 04:47 AM   #3
Di@Blo
LQ Newbie
 
Registered: Jun 2007
Posts: 3

Original Poster
Rep: Reputation: 0
I've been busy learning/checking the pam settings and the ldap settings, in the chance of stumbling onto the error.

But I'm not convinced that the problem lies in there. And here is why I think that is .

When I use an ldap account and try to login using the correct password I receive the following messages in the /var/log/messages

Jun 8 10:40:53 nemesis sshd(pam_unix)[11211]: check pass; user (bkr) unknown
Jun 8 10:40:53 nemesis sshd(pam_unix)[11211]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=linux11.snip user=bkr
Jun 8 10:40:53 nemesis sshd[11211]: pam_krb5[11211]: authentication fails for 'bkr' (bkr@snip-snip): User not known to the underlying authentication module (Client not found in Kerberos database)
Jun 8 10:40:53 nemesis sshd[11211]: pam_krb5[11211]: account checks fail for 'bkr': user is unknown
Jun 8 10:40:53 nemesis pam_winbind[11211]: request failed, but PAM error 0!
Jun 8 10:40:53 nemesis pam_winbind[11211]: internal module error (retval = 3, user = `bkr')

Which to me is normal since it is the output of the other authentication methods defined that are failing since this user doesn't apply to them. (Like winbind, local accounts)

But now when I don't use the correct password

Jun 8 10:42:53 nemesis sshd(pam_unix)[11243]: check pass; user (bkr) unknown
Jun 8 10:42:53 nemesis sshd(pam_unix)[11243]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=linux11.tisbe.thales user=bkr
Jun 8 10:42:53 nemesis sshd[11243]: pam_krb5[11243]: authentication fails for 'bkr' (bkr@snip): User not known to the underlying authentication module (Client not found in Kerberos database)
Jun 8 10:42:53 nemesis sshd[11243]: pam_ldap: error trying to bind as user "uid=bkr,ou=snip,dc=snip,dc=snip" (Invalid credentials)
Jun 8 10:42:53 nemesis sshd[11243]: pam_ldap: error trying to bind as user "uid=bkr,ou=snip,dc=snip,dc=snip" (Invalid credentials)



showing me at least that the ldap is contacted and that the password is getting checked.

But somewhere down the line something goes wrong.

Anybody got any idea's of what more I can check for this problem?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to get old pdcs accounts to new smb pdc with ldap procfs Linux - Software 0 06-29-2006 11:26 PM
Managing user accounts in LDAP AdamSBS Linux - Enterprise 3 08-24-2005 09:42 AM
Using LDAP to create and Manage Linux Accounts BBQ_Matt Linux - Networking 2 06-20-2005 05:20 PM
Accounts with KDE/GNOME login issues (unable to read configs) hexbox Linux - Networking 1 01-31-2005 04:19 PM
ldap-abook unable to get street name in ldap-entry Jingle Linux - Software 1 06-06-2004 08:13 PM


All times are GMT -5. The time now is 12:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration