|
»
»
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
by lavermil
::
Rate this Message:
Weston,
Here is what I have for nsswitch.conf, ldap.conf, etc.
I do not know how to enable nss_ldap via authconfig....maybe that is
causing the issue?
#
# /etc/ldap.conf
#
base dc=disamcep,dc=com
uri ldap://10.0.6.150/
binddn uid=user.0,ou=People,dc=disamcep,dc=com
bindpw test
timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_password clear
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
ssl off
tls_cacertdir /etc/openldap/cacerts
#
# /etc/openldap/ldap.conf
#
URI ldap://10.0.6.150/
BASE dc=disamcep,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
#
# /etc/nsswitch.conf
#
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
#
# authconfig --test
#
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "ldap://10.0.6.150/"
LDAP base DN = "dc=disamcep,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
md5 passwords are enabled
pam_krb5 is disabled
krb5 realm = "EXAMPLE.COM"
krb5 realm via dns is disabled
krb5 kdc = "kerberos.example.com:88"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://10.0.6.150/"
LDAP base DN = "dc=disamcep,dc=com"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_smb_auth is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
> This config works fine on 2000+ hosts. You have all your other bases
> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>
> Wes
>
> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>> Weston,
>>
>> Why doesn't auth have pam_ldap included? The only place I see your
>> pam_ldap is under password.
>>
>> I do not see a single ldap request with this configuration. I have
>> tried with and without the $ISA. Any other thoughts?
>>
>> -lance
>>
>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>> /etc/pam.d/sshd) :
>>>
>>> auth required /lib/security/$ISA/pam_env.so
>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>>> auth required /lib/security/$ISA/pam_deny.so
>>>
>>> account required /lib/security/$ISA/pam_unix.so
>>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>>> account required /lib/security/$ISA/pam_permit.so
>>>
>>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>> use_authtok md5 shadow
>>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>>> password required /lib/security/$ISA/pam_deny.so
>>>
>>> session required /lib/security/$ISA/pam_limits.so
>>> session required /lib/security/$ISA/pam_unix.so
>>>
>>>
>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>>> Hello All,
>>>>
>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>> authentication and do not want to have a local user account that is
>>>> the for each user that I want to authenticate via ldap. So for example
>>>> if I have linux client A receive a login request from a user with the
>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>> the password which the user provided to bind to the ldap server. For
>>>> some reason I have something out of order and if the user does not
>>>> have a local account it is forwarding INCORRECT as the password to the
>>>> ldap server. If I create the username "user.2" on the local system it
>>>> will then forward the password provided by the user and the I am off
>>>> and running. Any thoughts?
>>>>
>>>> #
>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>> # user.2 does not exist locally
>>>> #
>>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>>> 0@...`;. ...'uid=
>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>> user.2,o u=People
>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>> ,dc=disa mcep,dc=
>>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>>> com..... .INCORRE
>>>> 000000B4 43 54
>>>> CT
>>>>
>>>>
>>>> #
>>>> # TCPDUMP showing that the password for AUTH is correct
>>>> # after /usr/sbin/adduser user.2
>>>> #
>>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>> user.2,o u=People
>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>>> com..test
>>>>
>>>>
>>>> OS: CentOS 5.1
>>>>
>>>> #
>>>> # /etc/pam.d/sshd
>>>> #
>>>> #%PAM-1.0
>>>> auth required /lib/security/pam_nologin.so
>>>> auth sufficient /lib/security/pam_ldap.so
>>>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>>>
>>>> account sufficient /lib/security/pam_ldap.so
>>>> account required /lib/security/pam_unix_acct.so
>>>>
>>>> password required /lib/security/pam_cracklib.so
>>>> password sufficient /lib/security/pam_ldap.so
>>>> password required /lib/security/pam_pwdb.so use_first_pass
>>>>
>>>> session required /lib/security/pam_unix_session.so
>>>>
>>>> #
>>>> # /etc/pam.d/system-auth
>>>> #
>>>> #%PAM-1.0
>>>> # This file is auto-generated.
>>>> # User changes will be destroyed the next time authconfig is run.
>>>> auth required pam_env.so
>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>> auth sufficient pam_ldap.so use_first_pass
>>>> auth required pam_deny.so
>>>>
>>>> account required pam_unix.so broken_shadow
>>>> account sufficient pam_localuser.so
>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>> account required pam_permit.so
>>>>
>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>> use_authtok
>>>> password sufficient pam_ldap.so use_authtok
>>>> password required pam_deny.so
>>>>
>>>> session optional pam_keyinit.so revoke
>>>> session required pam_limits.so
>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond quiet use_uid
>>>> session required pam_unix.so
>>>> session optional pam_ldap.so
>>>>
>>>
>>
>
Here is what I have for nsswitch.conf, ldap.conf, etc.
I do not know how to enable nss_ldap via authconfig....maybe that is
causing the issue?
#
# /etc/ldap.conf
#
base dc=disamcep,dc=com
uri ldap://10.0.6.150/
binddn uid=user.0,ou=People,dc=disamcep,dc=com
bindpw test
timelimit 120
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
pam_password clear
nss_initgroups_ignoreusers
root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
ssl off
tls_cacertdir /etc/openldap/cacerts
#
# /etc/openldap/ldap.conf
#
URI ldap://10.0.6.150/
BASE dc=disamcep,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
#
# /etc/nsswitch.conf
#
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files
netgroup: files
publickey: nisplus
automount: files
aliases: files nisplus
#
# authconfig --test
#
caching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is disabled
LDAP+TLS is disabled
LDAP server = "ldap://10.0.6.150/"
LDAP base DN = "dc=disamcep,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
md5 passwords are enabled
pam_krb5 is disabled
krb5 realm = "EXAMPLE.COM"
krb5 realm via dns is disabled
krb5 kdc = "kerberos.example.com:88"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://10.0.6.150/"
LDAP base DN = "dc=disamcep,dc=com"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_smb_auth is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled
On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
> This config works fine on 2000+ hosts. You have all your other bases
> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>
> Wes
>
> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>> Weston,
>>
>> Why doesn't auth have pam_ldap included? The only place I see your
>> pam_ldap is under password.
>>
>> I do not see a single ldap request with this configuration. I have
>> tried with and without the $ISA. Any other thoughts?
>>
>> -lance
>>
>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>> /etc/pam.d/sshd) :
>>>
>>> auth required /lib/security/$ISA/pam_env.so
>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>>> auth required /lib/security/$ISA/pam_deny.so
>>>
>>> account required /lib/security/$ISA/pam_unix.so
>>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>>> account required /lib/security/$ISA/pam_permit.so
>>>
>>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>> use_authtok md5 shadow
>>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>>> password required /lib/security/$ISA/pam_deny.so
>>>
>>> session required /lib/security/$ISA/pam_limits.so
>>> session required /lib/security/$ISA/pam_unix.so
>>>
>>>
>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>>> Hello All,
>>>>
>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>> authentication and do not want to have a local user account that is
>>>> the for each user that I want to authenticate via ldap. So for example
>>>> if I have linux client A receive a login request from a user with the
>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>> the password which the user provided to bind to the ldap server. For
>>>> some reason I have something out of order and if the user does not
>>>> have a local account it is forwarding INCORRECT as the password to the
>>>> ldap server. If I create the username "user.2" on the local system it
>>>> will then forward the password provided by the user and the I am off
>>>> and running. Any thoughts?
>>>>
>>>> #
>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>> # user.2 does not exist locally
>>>> #
>>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>>> 0@...`;. ...'uid=
>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>> user.2,o u=People
>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>> ,dc=disa mcep,dc=
>>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>>> com..... .INCORRE
>>>> 000000B4 43 54
>>>> CT
>>>>
>>>>
>>>> #
>>>> # TCPDUMP showing that the password for AUTH is correct
>>>> # after /usr/sbin/adduser user.2
>>>> #
>>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>> user.2,o u=People
>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>>> com..test
>>>>
>>>>
>>>> OS: CentOS 5.1
>>>>
>>>> #
>>>> # /etc/pam.d/sshd
>>>> #
>>>> #%PAM-1.0
>>>> auth required /lib/security/pam_nologin.so
>>>> auth sufficient /lib/security/pam_ldap.so
>>>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>>>
>>>> account sufficient /lib/security/pam_ldap.so
>>>> account required /lib/security/pam_unix_acct.so
>>>>
>>>> password required /lib/security/pam_cracklib.so
>>>> password sufficient /lib/security/pam_ldap.so
>>>> password required /lib/security/pam_pwdb.so use_first_pass
>>>>
>>>> session required /lib/security/pam_unix_session.so
>>>>
>>>> #
>>>> # /etc/pam.d/system-auth
>>>> #
>>>> #%PAM-1.0
>>>> # This file is auto-generated.
>>>> # User changes will be destroyed the next time authconfig is run.
>>>> auth required pam_env.so
>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>> auth sufficient pam_ldap.so use_first_pass
>>>> auth required pam_deny.so
>>>>
>>>> account required pam_unix.so broken_shadow
>>>> account sufficient pam_localuser.so
>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>> account required pam_permit.so
>>>>
>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>> use_authtok
>>>> password sufficient pam_ldap.so use_authtok
>>>> password required pam_deny.so
>>>>
>>>> session optional pam_keyinit.so revoke
>>>> session required pam_limits.so
>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>> crond quiet use_uid
>>>> session required pam_unix.so
>>>> session optional pam_ldap.so
>>>>
>>>
>>
>
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
| Free embeddable forum powered by Nabble | Forum Help |
