Hey all, I'm trying to get down to the bottom of a slight mystery we're having. We have a situation where some account stored in LDAP (using openldap) can log into some hosts but not others using their LDAP account information.
To demonstrate, I take one of the users who is trying to login and verify that he does not have a local account on the target computer: [root@monitor:~] #grep spencer /etc/passwd [root@monitor:~] # [root@monitor:~] #id spencer id: spencer: No such user But the user should have the ability to login via their LDAP account: [root@monitor:~] #getent passwd | grep spencer spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash But when I attempt to log into the host using his password (this is a test account and I know the password) I get permission denied: [me@home:~/creds] #ssh [email protected] [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied, please try again. [email protected]'s password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password). And in the 'secure' log file on the host I'm trying to log into I see the following: Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= ool-182e9727.dyn.optonline.net Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2 Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2 Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2 Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx Yet if I try logging in with another test account on the same host that denied 'spencer' I am able to. The other account I'm testing with is called 'leo': [walkiriasoares@wal-mac:~/creds] #ssh [email protected] [email protected]'s password: Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net ,--,------,--. ,--. ,--. ,--. ,--. | | .---| `.' |,---.,--,--,,-' '-`--,-' '-.,---.,--.--. ,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--' | '-' | |` | | | ' '-' | || | | | | | | | ' '-' | | `-----'`--' `--' `--'`---'`--''--' `--' `--' `--' `---'`--' [leo@monitor ~]$ And I am able to verify that 'leo' does not have a local account: [root@monitor:~] #grep leo /etc/passwd [root@monitor:~] # However I can get a unix id on this account: [root@monitor:~] #id leo uid=10005(leo) gid=5000(admins) groups=5000(admins) And getent also shows that he is has an account: [root@monitor:~] #getent passwd | grep leo leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash However if I shift gears and try to log into the Ldap server itself (using the same passwords), I can with both accounts. [me@home:~] #ssh -qt [email protected] [email protected]'s password: Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64) [me@home~] #ssh -qt [email protected] [email protected]'s password: Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64) Again I can verify that neither account is local to the ldap server: [root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd [root@ldap01:~] # Here's what my nsswitch looks like on the monitoring host (where spencer can't login but leo can): [root@monitor:~] #grep -v "#" /etc/nsswitch.conf passwd: files sss shadow: files sss group: files sss hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files sss publickey: nisplus automount: files ldap aliases: files nisplus And here is the /etc/pam.d/password-auth-ac file: [root@monitor:~] #grep -v "#" /etc/pam.d/password-auth-ac auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so And here's the /etc/pam.d/system-auth-ac on the target host: [root@monitor:~] #grep -v "#" /etc/pam.d/system-auth-ac auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 type= password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so I'm just wondering if there might be a problem in the config or what I can possibly do to nail down the source of the problem. Thanks Tim -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
