|
»
»
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
Re: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
by lavermil
::
Rate this Message:
I even went and setup kerberos. I have the exact same issue. I now
know this has absolutely nothing to do with pam_ldap but rather PAM
and how the authenication is taking place. Apparently if no local user
is setup then it will fail. I don't know how to get around this
configuration issue. I have to be missing something. Can anyone point
me in the right direction?
TIA,
-lance
On Thu, Aug 28, 2008 at 2:25 PM, Lance Vermilion <pamldap@...> wrote:
> Weston,
>
> Here is what I have for nsswitch.conf, ldap.conf, etc.
>
> I do not know how to enable nss_ldap via authconfig....maybe that is
> causing the issue?
>
> #
> # /etc/ldap.conf
> #
> base dc=disamcep,dc=com
> uri ldap://10.0.6.150/
> binddn uid=user.0,ou=People,dc=disamcep,dc=com
> bindpw test
> timelimit 120
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> pam_password clear
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> ssl off
> tls_cacertdir /etc/openldap/cacerts
>
> #
> # /etc/openldap/ldap.conf
> #
> URI ldap://10.0.6.150/
> BASE dc=disamcep,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
> #
> # /etc/nsswitch.conf
> #
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> hosts: files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
> netgroup: files
> publickey: nisplus
> automount: files
> aliases: files nisplus
>
> #
> # authconfig --test
> #
> caching is disabled
> nss_files is always enabled
> nss_compat is disabled
> nss_db is disabled
> nss_hesiod is disabled
> hesiod LHS = ""
> hesiod RHS = ""
> nss_ldap is disabled
> LDAP+TLS is disabled
> LDAP server = "ldap://10.0.6.150/"
> LDAP base DN = "dc=disamcep,dc=com"
> nss_nis is disabled
> NIS server = ""
> NIS domain = ""
> nss_nisplus is disabled
> nss_winbind is disabled
> SMB workgroup = "MYGROUP"
> SMB servers = ""
> SMB security = "user"
> SMB realm = ""
> Winbind template shell = "/bin/false"
> SMB idmap uid = "16777216-33554431"
> SMB idmap gid = "16777216-33554431"
> nss_wins is disabled
> pam_unix is always enabled
> shadow passwords are enabled
> md5 passwords are enabled
> pam_krb5 is disabled
> krb5 realm = "EXAMPLE.COM"
> krb5 realm via dns is disabled
> krb5 kdc = "kerberos.example.com:88"
> krb5 kdc via dns is disabled
> krb5 admin server = "kerberos.example.com:749"
> pam_ldap is enabled
>
> LDAP+TLS is disabled
> LDAP server = "ldap://10.0.6.150/"
> LDAP base DN = "dc=disamcep,dc=com"
> pam_pkcs11 is disabled
>
> use only smartcard for login is disabled
> smartcard module = "coolkey"
> smartcard removal action = "Ignore"
> pam_smb_auth is disabled
> SMB workgroup = "MYGROUP"
> SMB servers = ""
> pam_winbind is disabled
> SMB workgroup = "MYGROUP"
> SMB servers = ""
> SMB security = "user"
> SMB realm = ""
> pam_cracklib is enabled (try_first_pass retry=3)
> pam_passwdqc is disabled ()
> Always authorize local users is enabled ()
> Authenticate system accounts against network services is disabled
>
>
>
> On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
>> This config works fine on 2000+ hosts. You have all your other bases
>> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>>
>> Wes
>>
>> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>>> Weston,
>>>
>>> Why doesn't auth have pam_ldap included? The only place I see your
>>> pam_ldap is under password.
>>>
>>> I do not see a single ldap request with this configuration. I have
>>> tried with and without the $ISA. Any other thoughts?
>>>
>>> -lance
>>>
>>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>>> /etc/pam.d/sshd) :
>>>>
>>>> auth required /lib/security/$ISA/pam_env.so
>>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>>>> auth required /lib/security/$ISA/pam_deny.so
>>>>
>>>> account required /lib/security/$ISA/pam_unix.so
>>>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>>>> account required /lib/security/$ISA/pam_permit.so
>>>>
>>>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>>> use_authtok md5 shadow
>>>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>>>> password required /lib/security/$ISA/pam_deny.so
>>>>
>>>> session required /lib/security/$ISA/pam_limits.so
>>>> session required /lib/security/$ISA/pam_unix.so
>>>>
>>>>
>>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>>>> Hello All,
>>>>>
>>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>>> authentication and do not want to have a local user account that is
>>>>> the for each user that I want to authenticate via ldap. So for example
>>>>> if I have linux client A receive a login request from a user with the
>>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>>> the password which the user provided to bind to the ldap server. For
>>>>> some reason I have something out of order and if the user does not
>>>>> have a local account it is forwarding INCORRECT as the password to the
>>>>> ldap server. If I create the username "user.2" on the local system it
>>>>> will then forward the password provided by the user and the I am off
>>>>> and running. Any thoughts?
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>>> # user.2 does not exist locally
>>>>> #
>>>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>>>> 0@...`;. ...'uid=
>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>>> ,dc=disa mcep,dc=
>>>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>>>> com..... .INCORRE
>>>>> 000000B4 43 54
>>>>> CT
>>>>>
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is correct
>>>>> # after /usr/sbin/adduser user.2
>>>>> #
>>>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>>>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>>>> com..test
>>>>>
>>>>>
>>>>> OS: CentOS 5.1
>>>>>
>>>>> #
>>>>> # /etc/pam.d/sshd
>>>>> #
>>>>> #%PAM-1.0
>>>>> auth required /lib/security/pam_nologin.so
>>>>> auth sufficient /lib/security/pam_ldap.so
>>>>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>>>>
>>>>> account sufficient /lib/security/pam_ldap.so
>>>>> account required /lib/security/pam_unix_acct.so
>>>>>
>>>>> password required /lib/security/pam_cracklib.so
>>>>> password sufficient /lib/security/pam_ldap.so
>>>>> password required /lib/security/pam_pwdb.so use_first_pass
>>>>>
>>>>> session required /lib/security/pam_unix_session.so
>>>>>
>>>>> #
>>>>> # /etc/pam.d/system-auth
>>>>> #
>>>>> #%PAM-1.0
>>>>> # This file is auto-generated.
>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>> auth required pam_env.so
>>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>>> auth sufficient pam_ldap.so use_first_pass
>>>>> auth required pam_deny.so
>>>>>
>>>>> account required pam_unix.so broken_shadow
>>>>> account sufficient pam_localuser.so
>>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>> account required pam_permit.so
>>>>>
>>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>>> use_authtok
>>>>> password sufficient pam_ldap.so use_authtok
>>>>> password required pam_deny.so
>>>>>
>>>>> session optional pam_keyinit.so revoke
>>>>> session required pam_limits.so
>>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>>> crond quiet use_uid
>>>>> session required pam_unix.so
>>>>> session optional pam_ldap.so
>>>>>
>>>>
>>>
>>
>
know this has absolutely nothing to do with pam_ldap but rather PAM
and how the authenication is taking place. Apparently if no local user
is setup then it will fail. I don't know how to get around this
configuration issue. I have to be missing something. Can anyone point
me in the right direction?
TIA,
-lance
On Thu, Aug 28, 2008 at 2:25 PM, Lance Vermilion <pamldap@...> wrote:
> Weston,
>
> Here is what I have for nsswitch.conf, ldap.conf, etc.
>
> I do not know how to enable nss_ldap via authconfig....maybe that is
> causing the issue?
>
> #
> # /etc/ldap.conf
> #
> base dc=disamcep,dc=com
> uri ldap://10.0.6.150/
> binddn uid=user.0,ou=People,dc=disamcep,dc=com
> bindpw test
> timelimit 120
> bind_timelimit 30
> bind_policy soft
> idle_timelimit 3600
> pam_password clear
> nss_initgroups_ignoreusers
> root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
> ssl off
> tls_cacertdir /etc/openldap/cacerts
>
> #
> # /etc/openldap/ldap.conf
> #
> URI ldap://10.0.6.150/
> BASE dc=disamcep,dc=com
> TLS_CACERTDIR /etc/openldap/cacerts
>
> #
> # /etc/nsswitch.conf
> #
> passwd: files ldap
> shadow: files ldap
> group: files ldap
> hosts: files dns
> bootparams: nisplus [NOTFOUND=return] files
> ethers: files
> netmasks: files
> networks: files
> protocols: files
> rpc: files
> services: files
> netgroup: files
> publickey: nisplus
> automount: files
> aliases: files nisplus
>
> #
> # authconfig --test
> #
> caching is disabled
> nss_files is always enabled
> nss_compat is disabled
> nss_db is disabled
> nss_hesiod is disabled
> hesiod LHS = ""
> hesiod RHS = ""
> nss_ldap is disabled
> LDAP+TLS is disabled
> LDAP server = "ldap://10.0.6.150/"
> LDAP base DN = "dc=disamcep,dc=com"
> nss_nis is disabled
> NIS server = ""
> NIS domain = ""
> nss_nisplus is disabled
> nss_winbind is disabled
> SMB workgroup = "MYGROUP"
> SMB servers = ""
> SMB security = "user"
> SMB realm = ""
> Winbind template shell = "/bin/false"
> SMB idmap uid = "16777216-33554431"
> SMB idmap gid = "16777216-33554431"
> nss_wins is disabled
> pam_unix is always enabled
> shadow passwords are enabled
> md5 passwords are enabled
> pam_krb5 is disabled
> krb5 realm = "EXAMPLE.COM"
> krb5 realm via dns is disabled
> krb5 kdc = "kerberos.example.com:88"
> krb5 kdc via dns is disabled
> krb5 admin server = "kerberos.example.com:749"
> pam_ldap is enabled
>
> LDAP+TLS is disabled
> LDAP server = "ldap://10.0.6.150/"
> LDAP base DN = "dc=disamcep,dc=com"
> pam_pkcs11 is disabled
>
> use only smartcard for login is disabled
> smartcard module = "coolkey"
> smartcard removal action = "Ignore"
> pam_smb_auth is disabled
> SMB workgroup = "MYGROUP"
> SMB servers = ""
> pam_winbind is disabled
> SMB workgroup = "MYGROUP"
> SMB servers = ""
> SMB security = "user"
> SMB realm = ""
> pam_cracklib is enabled (try_first_pass retry=3)
> pam_passwdqc is disabled ()
> Always authorize local users is enabled ()
> Authenticate system accounts against network services is disabled
>
>
>
> On Thu, Aug 28, 2008 at 11:59 AM, Weston Rogers <wrogers@...> wrote:
>> This config works fine on 2000+ hosts. You have all your other bases
>> covered? (/etc/nsswitch.conf, /etc/ldap.conf etc..)
>>
>> Wes
>>
>> On Thu, Aug 28, 2008 at 14:29, Lance Vermilion <pamldap@...> wrote:
>>> Weston,
>>>
>>> Why doesn't auth have pam_ldap included? The only place I see your
>>> pam_ldap is under password.
>>>
>>> I do not see a single ldap request with this configuration. I have
>>> tried with and without the $ISA. Any other thoughts?
>>>
>>> -lance
>>>
>>> On Thu, Aug 28, 2008 at 8:30 AM, Weston Rogers <wrogers@...> wrote:
>>>> This is what I use for /etc/pam.d/system-auth (you don't need to touch
>>>> /etc/pam.d/sshd) :
>>>>
>>>> auth required /lib/security/$ISA/pam_env.so
>>>> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
>>>> auth required /lib/security/$ISA/pam_deny.so
>>>>
>>>> account required /lib/security/$ISA/pam_unix.so
>>>> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
>>>> account required /lib/security/$ISA/pam_permit.so
>>>>
>>>> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
>>>> password sufficient /lib/security/$ISA/pam_unix.so nullok
>>>> use_authtok md5 shadow
>>>> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
>>>> password required /lib/security/$ISA/pam_deny.so
>>>>
>>>> session required /lib/security/$ISA/pam_limits.so
>>>> session required /lib/security/$ISA/pam_unix.so
>>>>
>>>>
>>>> On Wed, Aug 27, 2008 at 18:46, Lance Vermilion <pamldap@...> wrote:
>>>>> Hello All,
>>>>>
>>>>> I am having a bit of an issue. I want to use pam_ldap for
>>>>> authentication and do not want to have a local user account that is
>>>>> the for each user that I want to authenticate via ldap. So for example
>>>>> if I have linux client A receive a login request from a user with the
>>>>> username of "user.2" via ssh I would expect PAM and pam_ldap to use
>>>>> the password which the user provided to bind to the ldap server. For
>>>>> some reason I have something out of order and if the user does not
>>>>> have a local account it is forwarding INCORRECT as the password to the
>>>>> ldap server. If I create the username "user.2" on the local system it
>>>>> will then forward the password provided by the user and the I am off
>>>>> and running. Any thoughts?
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is incorrect
>>>>> # user.2 does not exist locally
>>>>> #
>>>>> 00000074 30 40 02 01 03 60 3b 02 01 03 04 27 75 69 64 3d
>>>>> 0@...`;. ...'uid=
>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d
>>>>> ,dc=disa mcep,dc=
>>>>> 000000A4 63 6f 6d 80 0d 08 0a 0d 7f 49 4e 43 4f 52 52 45
>>>>> com..... .INCORRE
>>>>> 000000B4 43 54
>>>>> CT
>>>>>
>>>>>
>>>>> #
>>>>> # TCPDUMP showing that the password for AUTH is correct
>>>>> # after /usr/sbin/adduser user.2
>>>>> #
>>>>> 00000074 30 37 02 01 03 60 32 02 01 03 04 27 75 69 64 3d 07...`2. ...'uid=
>>>>> 00000084 75 73 65 72 2e 32 2c 6f 75 3d 50 65 6f 70 6c 65
>>>>> user.2,o u=People
>>>>> 00000094 2c 64 63 3d 64 69 73 61 6d 63 65 70 2c 64 63 3d ,dc=disa mcep,dc=
>>>>> 000000A4 63 6f 6d 80 04 74 65 73 74
>>>>> com..test
>>>>>
>>>>>
>>>>> OS: CentOS 5.1
>>>>>
>>>>> #
>>>>> # /etc/pam.d/sshd
>>>>> #
>>>>> #%PAM-1.0
>>>>> auth required /lib/security/pam_nologin.so
>>>>> auth sufficient /lib/security/pam_ldap.so
>>>>> auth required /lib/security/pam_unix_auth.so try_first_pass
>>>>>
>>>>> account sufficient /lib/security/pam_ldap.so
>>>>> account required /lib/security/pam_unix_acct.so
>>>>>
>>>>> password required /lib/security/pam_cracklib.so
>>>>> password sufficient /lib/security/pam_ldap.so
>>>>> password required /lib/security/pam_pwdb.so use_first_pass
>>>>>
>>>>> session required /lib/security/pam_unix_session.so
>>>>>
>>>>> #
>>>>> # /etc/pam.d/system-auth
>>>>> #
>>>>> #%PAM-1.0
>>>>> # This file is auto-generated.
>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>> auth required pam_env.so
>>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>>> auth sufficient pam_ldap.so use_first_pass
>>>>> auth required pam_deny.so
>>>>>
>>>>> account required pam_unix.so broken_shadow
>>>>> account sufficient pam_localuser.so
>>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>> account required pam_permit.so
>>>>>
>>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>>> use_authtok
>>>>> password sufficient pam_ldap.so use_authtok
>>>>> password required pam_deny.so
>>>>>
>>>>> session optional pam_keyinit.so revoke
>>>>> session required pam_limits.so
>>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>>> crond quiet use_uid
>>>>> session required pam_unix.so
>>>>> session optional pam_ldap.so
>>>>>
>>>>
>>>
>>
>
« Return to Thread: pam_ldap on CentOS passed INCORRECT is local account doesn't exist
| Free embeddable forum powered by Nabble | Forum Help |
