On Thursday 22 February 2007 10:37, Willis, Ben wrote: > Thanks for the reply. > > I can login to the console but not to thin cleints. Since I use Edubuntu > the thin clients use LDM (SSH). I have the /etc/pam.d/ssh file setup to > authenticate users via the pam_ncp_auth.so file. The authentication is > attempted but fails with the error "(-669) Invalid password", this is > logged to /var/log/auth.log because I have the module set to debug logging. > > Everything that I have read seems to point to a problem with SSH looking > for a local account first and failing if one does not exist. With the NCP > module it authenticates the user, then creates a local account and maps the > users home directory. > > > I used this line in the ssh file: > # > auth sufficient /lib/security/pam_ncp_auth.so try_first_pass -d -a > -u10000,50000,f,c ndsserver=10.10.50.1:a5do.adm.acsd5 -a -L -zATX -A # > >
I use neither *buntu nor Netware, but I think the problem is a general one associated with pam configuration. I have a system (Fedora Core 5) using LDAP for authentication and nsswitch. The "sshd" pam config refers to the "system-auth" config and looks like this: #%PAM-1.0 auth include system-auth account required pam_nologin.so account include system-auth password include system-auth session include system-auth session required pam_loginuid.so So the real work is done in the system-auth config, *buntu may look somewhat different, but the Fedora system-auth looks like this: ========================================================================== #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_auth ok password sufficient pam_ldap.so use_authtok password required pam_deny.so session required pam_limits.so session required pam_unix.so session optional pam_ldap.so ======================================================================= Look for the place where the unix passwd file is consulted (pam_unix.so) and see if there is a qualifier (try_first_pass). According to Appendix A (PAM and NSS) of "LDAP System Administration" (Carter 2003), "try_first_pass" means: "Instructs the module to attempt to use the password entered for the previous module. If authentication fails, the user should be prompted to enter the password for this module". If pam_unix.so fails without qualification, you get login failure. You might also try re-ordering which modules are tried first (in sshd only, be careful you don't lock yourself out). I hope this helps. Good Luck. -- "History doesn't repeat itself; at best it rhymes." - Mark Twain | John Lucas [EMAIL PROTECTED] | | St. Thomas, VI 00802 http://mrjohnlucas.googlepages.com/ | | 18.3°N, 65°W AST (UTC-4) | ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT & business topics through brief surveys-and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _____________________________________________________________________ Ltsp-discuss mailing list. To un-subscribe, or change prefs, goto: https://lists.sourceforge.net/lists/listinfo/ltsp-discuss For additional LTSP help, try #ltsp channel on irc.freenode.net