Hello,
I am having a small issue with LDAP, and I hope someone here might be able to provide a few tips.
I am unable to authenticate as user 'testuser' on server 'storage' and the following errors appear in /var/log/messages on server 'storage'
Sep 19 16:56:17 storage sshd(pam_unix)[3124]: check pass; user unknown Sep 19 16:56:17 storage sshd(pam_unix)[3124]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test-kja1 Sep 19 16:56:17 storage sshd[3124]: pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=example,dc=local" (Invalid credentials)
I am also unable to issue this command:
# passwd testuser passwd: Unknown user name 'testuser'.
but this command works fine:
# finger testuser Login: testuser Name: Test User Directory: /home/testuser Shell: /bin/bash Never logged in. No mail. No Plan.
The server 'storage' is the LDAP host server, and there are about 9 other servers configured to use 'storage' to authenticate users. All 9 of them allow 'testuser' to login and also for him to change his password.
Issuing this command:
# ldapsearch -x -b 'uid=testuser,ou=People,dc=example,dc=local' '(objectclass=*)'
# extended LDIF # # LDAPv3 # base <uid=testuser,ou=People,dc=example,dc=local> with scope sub # filter: (objectclass=*) # requesting: ALL #
# testuser, People, example.local dn: uid=testuser,ou=People,dc=example,dc=local uid: testuser cn: Sean Cook objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 547 gidNumber: 500 homeDirectory: /home/testuser
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I think the issue might be with PAM, because comparing all files I can think of doesnt point me to any differences except /etc/pam.d/ system-auth
The LDAP server 'storage' has WINBIND turned on, as follows:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
And the server 'phoenix' (which allows 'testuser' to login fine) does not;
# User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
I tried disabling WINBIND but the issue still occurs even after restarting ldap and sshd.
Please help!!
you can't bind as a user that doesn't have a password
you don't have users until you have configured /etc/ldap.conf properly
1 - use 'system-config-authentication' and don't edit /etc/pam.d/system-auth uncheck Windows authentication and winbindd goes away
2 - edit /etc/ldap.conf to properly match your ldap setup, when you get it set up properly, the command 'getent passwd' will first list the contents of /etc/passwd and then list whatever you have setup for nss_base_passwd in /etc/ldap.conf
3 - you really need better understanding of LDAP...try a book
I'll recommend a really old one but really good for basic LDAP knowledge... LDAP System Administration by Gerald Carter
or
OpenLDAP v 2.3 (included with CentOS-5) http://www.openldap.org/doc/admin23/
OpenLDAP v 2.2 (included with CentOS-4) http://www.openldap.org/doc/admin22/
a hint here...you don't say whether you're using CentOS-4 or CentOS-5
man ldap.conf # refers to ldap.conf supplied by openldap - the file located at /etc/openldap/ldap.conf and man 8 ldap.conf (CentOS-4 IIRC) or man pam_ldap (CentOS-5) refers to /etc/ldap.conf (supplied as part of padl's nss)
good luck
Craig
On Wed, 2007-09-19 at 18:19 -0400, Von Landfried wrote:
Hello,
I am having a small issue with LDAP, and I hope someone here might be able to provide a few tips.
I am unable to authenticate as user 'testuser' on server 'storage' and the following errors appear in /var/log/messages on server 'storage'
Sep 19 16:56:17 storage sshd(pam_unix)[3124]: check pass; user unknown Sep 19 16:56:17 storage sshd(pam_unix)[3124]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test-kja1 Sep 19 16:56:17 storage sshd[3124]: pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=example,dc=local" (Invalid credentials)
I am also unable to issue this command:
# passwd testuser passwd: Unknown user name 'testuser'.
but this command works fine:
# finger testuser Login: testuser Name: Test User Directory: /home/testuser Shell: /bin/bash Never logged in. No mail. No Plan.
The server 'storage' is the LDAP host server, and there are about 9 other servers configured to use 'storage' to authenticate users. All 9 of them allow 'testuser' to login and also for him to change his password.
Issuing this command:
# ldapsearch -x -b 'uid=testuser,ou=People,dc=example,dc=local' '(objectclass=*)'
# extended LDIF # # LDAPv3 # base <uid=testuser,ou=People,dc=example,dc=local> with scope sub # filter: (objectclass=*) # requesting: ALL #
# testuser, People, example.local dn: uid=testuser,ou=People,dc=example,dc=local uid: testuser cn: Sean Cook objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 547 gidNumber: 500 homeDirectory: /home/testuser
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I think the issue might be with PAM, because comparing all files I can think of doesnt point me to any differences except /etc/pam.d/ system-auth
The LDAP server 'storage' has WINBIND turned on, as follows:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
And the server 'phoenix' (which allows 'testuser' to login fine) does not;
# User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
I tried disabling WINBIND but the issue still occurs even after restarting ldap and sshd.
Please help!!
Thank you for you response, but I might not have been clear in my original email.
All of the other servers (servers[1-9]) are working properly, i.e. the user 'testuser' is able to log in using the password I set, and is able to change the password using passwd, among other things of course. So because of this, I assume LDAP is working properly.
My question is why can't 'testuser' log into the actual LDAP server? There must be some configuration difference, but I just can't find it.
I obviously would not change /etc/pam.d/system-auth manually, I would use 'authconfig' to make any changes. I already turned off WINBIND and that did nothing to fix it. Unless something has to be restarted, (other than ldap, sshd) then this wasn't the cause.
The /etc/ldap.conf is configured properly, on all machines, which is why I assume the user is able to log into the other 9 servers.
These are CentOS 4.5 servers, so they are running openldap-2.2.13-7.4E
Running 'getend passwd' (didn't know that command, thanks for that one) shows the user, so I assume the password is correctly setup (kinda already knew that since he can log into all other machines)
I will keep trying, and will read through the documentation.
On Sep 19, 2007, at 11:00 PM, Craig White wrote:
you can't bind as a user that doesn't have a password
you don't have users until you have configured /etc/ldap.conf properly
1 - use 'system-config-authentication' and don't edit /etc/pam.d/system-auth uncheck Windows authentication and winbindd goes away
2 - edit /etc/ldap.conf to properly match your ldap setup, when you get it set up properly, the command 'getent passwd' will first list the contents of /etc/passwd and then list whatever you have setup for nss_base_passwd in /etc/ldap.conf
3 - you really need better understanding of LDAP...try a book
I'll recommend a really old one but really good for basic LDAP knowledge... LDAP System Administration by Gerald Carter
or
OpenLDAP v 2.3 (included with CentOS-5) http://www.openldap.org/doc/admin23/
OpenLDAP v 2.2 (included with CentOS-4) http://www.openldap.org/doc/admin22/
a hint here...you don't say whether you're using CentOS-4 or CentOS-5
man ldap.conf # refers to ldap.conf supplied by openldap - the file located at /etc/openldap/ldap.conf and man 8 ldap.conf (CentOS-4 IIRC) or man pam_ldap (CentOS-5) refers to /etc/ldap.conf (supplied as part of padl's nss)
good luck
Craig
On Wed, 2007-09-19 at 18:19 -0400, Von Landfried wrote:
Hello,
I am having a small issue with LDAP, and I hope someone here might be able to provide a few tips.
I am unable to authenticate as user 'testuser' on server 'storage' and the following errors appear in /var/log/messages on server 'storage'
Sep 19 16:56:17 storage sshd(pam_unix)[3124]: check pass; user unknown Sep 19 16:56:17 storage sshd(pam_unix)[3124]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=test-kja1 Sep 19 16:56:17 storage sshd[3124]: pam_ldap: error trying to bind as user "uid=testuser,ou=People,dc=example,dc=local" (Invalid credentials)
I am also unable to issue this command:
# passwd testuser passwd: Unknown user name 'testuser'.
but this command works fine:
# finger testuser Login: testuser Name: Test User Directory: /home/testuser Shell: /bin/bash Never logged in. No mail. No Plan.
The server 'storage' is the LDAP host server, and there are about 9 other servers configured to use 'storage' to authenticate users. All 9 of them allow 'testuser' to login and also for him to change his password.
Issuing this command:
# ldapsearch -x -b 'uid=testuser,ou=People,dc=example,dc=local' '(objectclass=*)'
# extended LDIF # # LDAPv3 # base <uid=testuser,ou=People,dc=example,dc=local> with scope sub # filter: (objectclass=*) # requesting: ALL #
# testuser, People, example.local dn: uid=testuser,ou=People,dc=example,dc=local uid: testuser cn: Sean Cook objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 547 gidNumber: 500 homeDirectory: /home/testuser
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
I think the issue might be with PAM, because comparing all files I can think of doesnt point me to any differences except /etc/pam.d/ system-auth
The LDAP server 'storage' has WINBIND turned on, as follows:
auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth sufficient /lib/security/$ISA/pam_winbind.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_winbind.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password sufficient /lib/security/$ISA/pam_winbind.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
And the server 'phoenix' (which allows 'testuser' to login fine) does not;
# User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/ security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so
I tried disabling WINBIND but the issue still occurs even after restarting ldap and sshd.
Please help!!
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Thu, 2007-09-20 at 11:23 -0400, Von Landfried wrote:
Thank you for you response, but I might not have been clear in my original email.
All of the other servers (servers[1-9]) are working properly, i.e. the user 'testuser' is able to log in using the password I set, and is able to change the password using passwd, among other things of course. So because of this, I assume LDAP is working properly.
My question is why can't 'testuser' log into the actual LDAP server? There must be some configuration difference, but I just can't find it.
---- did you check /var/log/secure on that system? That should log authentication failures/successes.
remember, each machine must make it's own connection to ldap and each system has it's own /etc/ldap.conf, /etc/openldap/ldap.conf, /etc/nsswitch.com and /etc/pam.d/system-auth files ----
I obviously would not change /etc/pam.d/system-auth manually, I would use 'authconfig' to make any changes. I already turned off WINBIND and that did nothing to fix it. Unless something has to be restarted, (other than ldap, sshd) then this wasn't the cause.
---- winbindd would only slow things up - especially if improperly configured.
also, it's a good idea to make sure nscd is stopped - at the very least, stopped until everything is working properly. ----
The /etc/ldap.conf is configured properly, on all machines, which is why I assume the user is able to log into the other 9 servers.
These are CentOS 4.5 servers, so they are running openldap-2.2.13-7.4E
Running 'getend passwd' (didn't know that command, thanks for that one) shows the user, so I assume the password is correctly setup (kinda already knew that since he can log into all other machines)
---- getent passwd getent group
very important on systems with system users in /etc/passwd and network users in ldap since it gives you the hybrid.
very important also to not have a user in both /etc/passwd and ldap as that would surely cause confusion ----
I will keep trying, and will read through the documentation.
---- good luck
-
Craig White -
Craig White -
Von Landfried -
Von Landfried