Tim Dunphy wrote:
Hey all, I'm trying to get down to the bottom of a slight mystery we're having. We have a situation where some account stored in LDAP (using openldap) can log into some hosts but not others using their LDAP account information. To demonstrate, I take one of the users who is trying to login and verify that he does not have a local account on the target computer: [root@monitor:~] #grep spencer /etc/passwd [root@monitor:~] # [root@monitor:~] #id spencer id: spencer: No such user
You have a problem already, the id command should return spencer's account info if everything is configured correctly.
But the user should have the ability to login via their LDAP account: [root@monitor:~] #getent passwd | grep spencer spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash
Assuming your PAM and NSS are configured correctly, this usually indicates that you have NSCD running on your system, and its cache is stale. Do a google search on NSCD problems - it's well established fact that NSCD is broken by design and is unusable.
Your nsswitch config shows you're using RedHat's SSSD. SSSD also caches information, and there are also many problems with its caching implementation. Again, SSSD is not recommended. The recommended software is nssov (+pcache if you still want caching).
But when I attempt to log into the host using his password (this is a test account and I know the password) I get permission denied: [me@home:~/creds] #ssh spen...@monitor.jokefire.com <mailto:spen...@monitor.jokefire.com> spen...@monitor.jokefire.com <mailto:spen...@monitor.jokefire.com>'s password: Permission denied, please try again. spen...@monitor.jokefire.com <mailto:spen...@monitor.jokefire.com>'s password: Permission denied, please try again. spen...@monitor.jokefire.com <mailto:spen...@monitor.jokefire.com>'s password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). And in the 'secure' log file on the host I'm trying to log into I see the following: Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net <http://ool-182e9727.dyn.optonline.net> Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2 Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2 Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2 Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net <http://ool-182e9727.dyn.optonline.net> Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx Yet if I try logging in with another test account on the same host that denied 'spencer' I am able to. The other account I'm testing with is called 'leo': [walkiriasoares@wal-mac:~/creds] #ssh l...@monitor.jokefire.com <mailto:l...@monitor.jokefire.com> l...@monitor.jokefire.com <mailto:l...@monitor.jokefire.com>'s password: Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net <http://ool-xxxx.dyn.optonline.net> ,--,------,--. ,--. ,--. ,--. ,--. | | .---| `.' |,---.,--,--,,-' '-`--,-' '-.,---.,--.--. ,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--' | '-' | |` | | | ' '-' | || | | | | | | | ' '-' | | `-----'`--' `--' `--'`---'`--''--' `--' `--' `--' `---'`--' [leo@monitor ~]$ And I am able to verify that 'leo' does not have a local account: [root@monitor:~] #grep leo /etc/passwd [root@monitor:~] # However I can get a unix id on this account: [root@monitor:~] #id leo uid=10005(leo) gid=5000(admins) groups=5000(admins) And getent also shows that he is has an account: [root@monitor:~] #getent passwd | grep leo leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash However if I shift gears and try to log into the Ldap server itself (using the same passwords), I can with both accounts. [me@home:~] #ssh -qt spen...@ldap01.example.com <mailto:spen...@ldap01.example.com> spen...@ldap01.example.com <mailto:spen...@ldap01.example.com>'s password: Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64) [me@home~] #ssh -qt l...@ldap01.example.com <mailto:l...@ldap01.example.com> l...@ldap01.example.com <mailto:l...@ldap01.example.com>'s password: Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64) Again I can verify that neither account is local to the ldap server: [root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd [root@ldap01:~] # Here's what my nsswitch looks like on the monitoring host (where spencer can't login but leo can): [root@monitor:~] #grep -v "#" /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss hosts: files dns
I'm just wondering if there might be a problem in the config or what I can possibly do to nail down the source of the problem. Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net <http://pool.sks-keyservers.net> --recv-keys F186197B
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/