Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in

  FAQ | Search | Memberlist | Usergroups | Statistics | Profile | Log in to check your private messages | Log in | Register

Need help with pam_ldap and console/SSH logins [SOLVED]
 View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 120
Location: Budapest, Hungary
PostPosted: Thu Feb 05, 2015 2:50 pm    Post subject: Need help with pam_ldap and console/SSH logins [SOLVED] Reply with quote
I have a working LDAP server, used for Samba authentication. I have all my users here, in LDAP.
I have another server running Samba, configured to use the LDAP backend.
It works.

Now I would like to enable some LDAP users to log in via SSH to the Samba server, and I cannot get this work.
Using getent I see the LDAP users on the other server:
Code:
getent passwd | grep admin
admin:x:1344:513:System User:/home/users/admin:/bin/bash
getent shadow | grep admin
admin:*:16115::45::::

When I try to log in via SSH to the Samba server, using an LDAP user and its correct password I get "access denied" and syslog shows this:
Code:
error: PAM: Authentication failure for admin from MY_IP
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_IP user=admin

When I do the same and type a wrong password, I get this:
Code:
error: PAM: Authentication failure for admin from MY_IP
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_IP user=admin
pam_ldap: error trying to bind as user "uid=admin,ou=Users,dc=domain,dc=com" (Invalid credentials)

From this I suspect that the LDAP authentication works. Still, I cannot login neither via console, nor via SSH.
Some relevant config files:
/etc/pam.d/system-auth
Code:
auth            required        pam_env.so
auth            required        pam_unix.so try_first_pass likeauth nullok
auth            sufficient      pam_ldap.so use_first_pass

account         required        pam_unix.so
account         sufficient      pam_ldap.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        sufficient      pam_ldap.so use_authtok use_first_pass

session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
#session        required        pam_mkhomedir.so skel=/etc/skel/ umask=0
session         optional        pam_ldap.so

/etc/pam.d/sshd
Code:
auth            include         system-remote-login
account         include         system-remote-login
password        include         system-remote-login
session         include         system-remote-login

/etc/pam.d/system-remote-login
Code:
auth            include         system-login
account         include         system-login
password        include         system-login
session         include         system-login

/etc/pam.d/system-login
Code:
auth            required        pam_tally2.so onerr=succeed
auth            required        pam_shells.so
auth            required        pam_nologin.so
auth            include         system-auth

account         required        pam_access.so
account         required        pam_nologin.so
account         include         system-auth
account         required        pam_tally2.so onerr=succeed

password        include         system-auth

session         optional        pam_loginuid.so
session         required        pam_env.so
session         optional        pam_lastlog.so silent
session         include         system-auth
session         optional        pam_motd.so motd=/etc/motd
session         optional        pam_mail.so

I admit I am no expert in PAM. I have a feeling that I made a stupid mistake somewhere, but I cannot find it for hours now. Please help!
_________________
format c:
emerge system

Last edited by mocsokmike on Mon Feb 09, 2015 2:05 pm; edited 1 time in total
Back to top
View user's profile Send private message
Darknight
Guru
Guru


Joined: 26 Jan 2004
Posts: 483
Location: Italy
PostPosted: Mon Feb 09, 2015 9:48 am    Post subject: Reply with quote
I have "sufficient" on your second line of /etc/pam.d/system-auth and ssh works, try.
Back to top
View user's profile Send private message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 120
Location: Budapest, Hungary
PostPosted: Mon Feb 09, 2015 2:04 pm    Post subject: Reply with quote
That was it! Thanks a lot!
_________________
format c:
emerge system
Back to top
View user's profile Send private message
Darknight
Guru
Guru


Joined: 26 Jan 2004
Posts: 483
Location: Italy
PostPosted: Mon Feb 09, 2015 2:29 pm    Post subject: Reply with quote
Essentially, you were requiring that the user existed in both LDAP and the local system.
Back to top
View user's profile Send private message
mocsokmike
Tux's lil' helper
Tux's lil' helper


Joined: 04 Aug 2005
Posts: 120
Location: Budapest, Hungary
PostPosted: Mon Feb 09, 2015 3:11 pm    Post subject: Reply with quote
It seems logical to me now.
Now I understand PAM's behavior a bit more, this was a good lesson.
_________________
format c:
emerge system
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum



 Links: forums.gentoo.org | www.gentoo.org | bugs.gentoo.org | wiki.gentoo.org | forum-mods@gentoo.org

Copyright 2001-2024 Gentoo Foundation, Inc. Designed by Kyle Manna © 2003; Style derived from original subSilver theme. | Hosting by Gossamer Threads Inc. © | Powered by phpBB 2.0.23-gentoo-p11 © 2001, 2002 phpBB Group
Privacy Policy