Hey all,
I'm trying to get down to the bottom of a slight mystery we're having. We have a situation where some account stored in LDAP (using openldap) can log into some hosts but not others using their LDAP account information.
To demonstrate, I take one of the users who is trying to login and verify that he does not have a local account on the target computer:
[root@monitor:~] #grep spencer /etc/passwd [root@monitor:~] #
[root@monitor:~] #id spencer id: spencer: No such user
But the user should have the ability to login via their LDAP account:
[root@monitor:~] #getent passwd | grep spencer spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash
But when I attempt to log into the host using his password (this is a test account and I know the password) I get permission denied:
[me@home:~/creds] #ssh spencer@monitor.jokefire.com spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
And in the 'secure' log file on the host I'm trying to log into I see the following:
Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx
Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= ool-182e9727.dyn.optonline.net
Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net
Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx
Yet if I try logging in with another test account on the same host that denied 'spencer' I am able to. The other account I'm testing with is called 'leo':
[walkiriasoares@wal-mac:~/creds] #ssh leo@monitor.jokefire.com
leo@monitor.jokefire.com's password:
Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net
,--,------,--. ,--. ,--. ,--. ,--.
| | .---| `.' |,---.,--,--,,-' '-`--,-' '-.,---.,--.--.
,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--'
| '-' | |` | | | ' '-' | || | | | | | | | ' '-' | |
`-----'`--' `--' `--'`---'`--''--' `--' `--' `--' `---'`--'
[leo@monitor ~]$
And I am able to verify that 'leo' does not have a local account:
[root@monitor:~] #grep leo /etc/passwd
[root@monitor:~] #
However I can get a unix id on this account:
[root@monitor:~] #id leo
uid=10005(leo) gid=5000(admins) groups=5000(admins)
And getent also shows that he is has an account:
[root@monitor:~] #getent passwd | grep leo
leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash
However if I shift gears and try to log into the Ldap server itself (using the same passwords), I can with both accounts.
[me@home:~] #ssh -qt spencer@ldap01.example.com
spencer@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
[me@home~] #ssh -qt leo@ldap01.example.com
leo@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
Again I can verify that neither account is local to the ldap server:
[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd
[root@ldap01:~] #
Here's what my nsswitch looks like on the monitoring host (where spencer can't login but leo can):
[root@monitor:~] #grep -v "#" /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
And here is the /etc/pam.d/password-auth-ac file:
[root@monitor:~] #grep -v "#" /etc/pam.d/password-auth-ac
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
And here's the /etc/pam.d/system-auth-ac on the target host:
[root@monitor:~] #grep -v "#" /etc/pam.d/system-auth-ac
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
I'm just wondering if there might be a problem in the config or what I can possibly do to nail down the source of the problem.
Thanks
Tim