Tim Dunphy wrote:
Hey all,
I'm trying to get down to the bottom of a slight mystery we're having. We have a situation where some account stored in LDAP (using openldap) can log into some hosts but not others using their LDAP account information.
To demonstrate, I take one of the users who is trying to login and verify that he does not have a local account on the target computer:
[root@monitor:~] #grep spencer /etc/passwd [root@monitor:~] #
[root@monitor:~] #id spencer id: spencer: No such user
You have a problem already, the id command should return spencer's account info if everything is configured correctly.
But the user should have the ability to login via their LDAP account:
[root@monitor:~] #getent passwd | grep spencer spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash
Assuming your PAM and NSS are configured correctly, this usually indicates that you have NSCD running on your system, and its cache is stale. Do a google search on NSCD problems - it's well established fact that NSCD is broken by design and is unusable.
Your nsswitch config shows you're using RedHat's SSSD. SSSD also caches information, and there are also many problems with its caching implementation. Again, SSSD is not recommended. The recommended software is nssov (+pcache if you still want caching).
But when I attempt to log into the host using his password (this is a test account and I know the password) I get permission denied:
[me@home:~/creds] #ssh spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
And in the 'secure' log file on the host I'm trying to log into I see the following:
Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx
Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net http://ool-182e9727.dyn.optonline.net
Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net http://ool-182e9727.dyn.optonline.net
Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx
Yet if I try logging in with another test account on the same host that denied 'spencer' I am able to. The other account I'm testing with is called 'leo':
[walkiriasoares@wal-mac:~/creds] #ssh leo@monitor.jokefire.com mailto:leo@monitor.jokefire.com
leo@monitor.jokefire.com mailto:leo@monitor.jokefire.com's password:
Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net http://ool-xxxx.dyn.optonline.net
,--,------,--. ,--. ,--. ,--. ,--. | | .---| `.' |,---.,--,--,,-' '-`--,-' '-.,---.,--.--.
,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--'
| '-' | |` | | | ' '-' | || | | | | | | | ' '-' | |
`-----'`--' `--' `--'`---'`--''--' `--' `--' `--' `---'`--'
[leo@monitor ~]$
And I am able to verify that 'leo' does not have a local account:
[root@monitor:~] #grep leo /etc/passwd
[root@monitor:~] #
However I can get a unix id on this account:
[root@monitor:~] #id leo
uid=10005(leo) gid=5000(admins) groups=5000(admins)
And getent also shows that he is has an account:
[root@monitor:~] #getent passwd | grep leo
leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash
However if I shift gears and try to log into the Ldap server itself (using the same passwords), I can with both accounts.
[me@home:~] #ssh -qt spencer@ldap01.example.com mailto:spencer@ldap01.example.com
spencer@ldap01.example.com mailto:spencer@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
[me@home~] #ssh -qt leo@ldap01.example.com mailto:leo@ldap01.example.com
leo@ldap01.example.com mailto:leo@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
Again I can verify that neither account is local to the ldap server:
[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd
[root@ldap01:~] #
Here's what my nsswitch looks like on the monitoring host (where spencer can't login but leo can):
[root@monitor:~] #grep -v "#" /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
I'm just wondering if there might be a problem in the config or what I can possibly do to nail down the source of the problem.
Thanks
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net http://pool.sks-keyservers.net --recv-keys F186197B