View previous topic :: View next topic |
Author |
Message |
mocsokmike Tux's lil' helper
Joined: 04 Aug 2005 Posts: 120 Location: Budapest, Hungary
|
Posted: Thu Feb 05, 2015 2:50 pm Post subject: Need help with pam_ldap and console/SSH logins [SOLVED] |
|
|
I have a working LDAP server, used for Samba authentication. I have all my users here, in LDAP.
I have another server running Samba, configured to use the LDAP backend.
It works.
Now I would like to enable some LDAP users to log in via SSH to the Samba server, and I cannot get this work.
Using getent I see the LDAP users on the other server:
Code: | getent passwd | grep admin
admin:x:1344:513:System User:/home/users/admin:/bin/bash
getent shadow | grep admin
admin:*:16115::45:::: |
When I try to log in via SSH to the Samba server, using an LDAP user and its correct password I get "access denied" and syslog shows this:
Code: | error: PAM: Authentication failure for admin from MY_IP
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_IP user=admin |
When I do the same and type a wrong password, I get this:
Code: | error: PAM: Authentication failure for admin from MY_IP
pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_IP user=admin
pam_ldap: error trying to bind as user "uid=admin,ou=Users,dc=domain,dc=com" (Invalid credentials) |
From this I suspect that the LDAP authentication works. Still, I cannot login neither via console, nor via SSH.
Some relevant config files:
/etc/pam.d/system-auth
Code: | auth required pam_env.so
auth required pam_unix.so try_first_pass likeauth nullok
auth sufficient pam_ldap.so use_first_pass
account required pam_unix.so
account sufficient pam_ldap.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password required pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
#session required pam_mkhomedir.so skel=/etc/skel/ umask=0
session optional pam_ldap.so |
/etc/pam.d/sshd
Code: | auth include system-remote-login
account include system-remote-login
password include system-remote-login
session include system-remote-login |
/etc/pam.d/system-remote-login
Code: | auth include system-login
account include system-login
password include system-login
session include system-login |
/etc/pam.d/system-login
Code: | auth required pam_tally2.so onerr=succeed
auth required pam_shells.so
auth required pam_nologin.so
auth include system-auth
account required pam_access.so
account required pam_nologin.so
account include system-auth
account required pam_tally2.so onerr=succeed
password include system-auth
session optional pam_loginuid.so
session required pam_env.so
session optional pam_lastlog.so silent
session include system-auth
session optional pam_motd.so motd=/etc/motd
session optional pam_mail.so |
I admit I am no expert in PAM. I have a feeling that I made a stupid mistake somewhere, but I cannot find it for hours now. Please help! _________________ format c:
emerge system
Last edited by mocsokmike on Mon Feb 09, 2015 2:05 pm; edited 1 time in total |
|
Back to top |
|
|
Darknight Guru
Joined: 26 Jan 2004 Posts: 483 Location: Italy
|
Posted: Mon Feb 09, 2015 9:48 am Post subject: |
|
|
I have "sufficient" on your second line of /etc/pam.d/system-auth and ssh works, try. |
|
Back to top |
|
|
mocsokmike Tux's lil' helper
Joined: 04 Aug 2005 Posts: 120 Location: Budapest, Hungary
|
Posted: Mon Feb 09, 2015 2:04 pm Post subject: |
|
|
That was it! Thanks a lot! _________________ format c:
emerge system |
|
Back to top |
|
|
Darknight Guru
Joined: 26 Jan 2004 Posts: 483 Location: Italy
|
Posted: Mon Feb 09, 2015 2:29 pm Post subject: |
|
|
Essentially, you were requiring that the user existed in both LDAP and the local system. |
|
Back to top |
|
|
mocsokmike Tux's lil' helper
Joined: 04 Aug 2005 Posts: 120 Location: Budapest, Hungary
|
Posted: Mon Feb 09, 2015 3:11 pm Post subject: |
|
|
It seems logical to me now.
Now I understand PAM's behavior a bit more, this was a good lesson. _________________ format c:
emerge system |
|
Back to top |
|
|
|