On Thursday 22 February 2007 10:37, Willis, Ben wrote:
> Thanks for the reply.
>
> I can login to the console but not to thin cleints. Since I use Edubuntu
> the thin clients use LDM (SSH). I have the /etc/pam.d/ssh file setup to
> authenticate users via the pam_ncp_auth.so file. The authentication is
> attempted but fails with the error "(-669) Invalid password", this is
> logged to /var/log/auth.log because I have the module set to debug logging.
>
> Everything that I have read seems to point to a problem with SSH looking
> for a local account first and failing if one does not exist. With the NCP
> module it authenticates the user, then creates a local account and maps the
> users home directory.
>
>
> I used this line in the ssh file:
> #
> auth sufficient /lib/security/pam_ncp_auth.so try_first_pass -d -a
> -u10000,50000,f,c ndsserver=10.10.50.1:a5do.adm.acsd5 -a -L -zATX -A #
>
>
I use neither *buntu nor Netware, but I think the problem is a general one
associated with pam configuration.
I have a system (Fedora Core 5) using LDAP for authentication and nsswitch.
The "sshd" pam config refers to the "system-auth" config and looks like this:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session include system-auth
session required pam_loginuid.so
So the real work is done in the system-auth config, *buntu may look somewhat
different, but the Fedora system-auth looks like this:
==========================================================================
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass
use_auth
ok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
=======================================================================
Look for the place where the unix passwd file is consulted (pam_unix.so) and
see if there is a qualifier (try_first_pass). According to Appendix A (PAM
and NSS) of "LDAP System Administration" (Carter 2003), "try_first_pass"
means: "Instructs the module to attempt to use the password entered for the
previous module. If authentication fails, the user should be prompted to
enter the password for this module". If pam_unix.so fails without
qualification, you get login failure. You might also try re-ordering which
modules are tried first (in sshd only, be careful you don't lock yourself
out).
I hope this helps. Good Luck.
--
"History doesn't repeat itself; at best it rhymes."
- Mark Twain
| John Lucas [EMAIL PROTECTED] |
| St. Thomas, VI 00802 http://mrjohnlucas.googlepages.com/ |
| 18.3°N, 65°W AST (UTC-4) |
-------------------------------------------------------------------------
Take Surveys. Earn Cash. Influence the Future of IT
Join SourceForge.net's Techsay panel and you'll get the chance to share your
opinions on IT & business topics through brief surveys-and earn cash
http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
_____________________________________________________________________
Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto:
https://lists.sourceforge.net/lists/listinfo/ltsp-discuss
For additional LTSP help, try #ltsp channel on irc.freenode.net
