Hey all,

 I'm trying to get down to the bottom of a slight mystery we're having. We have a situation where some account stored in LDAP (using openldap) can log into some hosts but not others using their LDAP account information.

To demonstrate, I take one of the users who is trying to login and verify that he does not have a local account on the target computer:

[root@monitor:~] #grep spencer /etc/passwd
[root@monitor:~] #

[root@monitor:~] #id spencer
id: spencer: No such user

But the user should have the ability to login via their LDAP account:

[root@monitor:~] #getent passwd | grep spencer
spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash

But when I attempt to log into the host using his password (this is a test account and I know the password) I get permission denied:


[me@home:~/creds] #ssh spencer@monitor.jokefire.com
spencer@monitor.jokefire.com's password: 
Permission denied, please try again.
spencer@monitor.jokefire.com's password: 
Permission denied, please try again.
spencer@monitor.jokefire.com's password: 
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


And in the 'secure' log file on the host I'm trying to log into I see the following:

Mar  9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx

Mar  9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer

Mar  9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown

Mar  9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net

Mar  9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer

Mar  9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2

Mar  9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown

Mar  9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer

Mar  9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2

Mar  9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx

Mar  9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown

Mar  9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer

Mar  9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2

Mar  9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx

Mar  9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net

Mar  9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx


Yet if I try logging in with another test account on the same host that denied 'spencer' I am able to. The other account I'm testing with is called 'leo':


[walkiriasoares@wal-mac:~/creds] #ssh leo@monitor.jokefire.com

leo@monitor.jokefire.com's password:

Last login: Sun Mar  9 10:32:52 2014 from ool-xxxx.dyn.optonline.net


     ,--,------,--.   ,--.              ,--. ,--. ,--.

     |  |  .---|   `.'   |,---.,--,--,,-'  '-`--,-'  '-.,---.,--.--.

,--. |  |  `--,|  |'.'|  | .-. |      '-.  .-,--'-.  .-| .-. |  .--'

|  '-'  |  |`  |  |   |  ' '-' |  ||  | |  | |  | |  | ' '-' |  |

 `-----'`--'   `--'   `--'`---'`--''--' `--' `--' `--'  `---'`--'

[leo@monitor ~]$ 


And I am able to verify that 'leo' does not have a local account:

[root@monitor:~] #grep leo /etc/passwd

[root@monitor:~] #

However I can get a unix id on this account:

[root@monitor:~] #id leo

uid=10005(leo) gid=5000(admins) groups=5000(admins)

And getent also shows that he is has an account:


[root@monitor:~] #getent passwd | grep leo 

leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash

However if I shift gears and try to log into the Ldap server itself (using the same passwords), I can with both accounts.


[me@home:~] #ssh -qt spencer@ldap01.example.com

spencer@ldap01.example.com's password:

Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)


[me@home~] #ssh -qt leo@ldap01.example.com

leo@ldap01.example.com's password:

Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)


Again I can verify that neither account is local to the ldap server:

[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd

[root@ldap01:~] #


Here's what my nsswitch looks like on the monitoring host (where spencer can't login but leo can):


[root@monitor:~] #grep -v "#" /etc/nsswitch.conf



passwd:     files sss

shadow:     files sss

group:      files sss


hosts:      files dns



bootparams: nisplus [NOTFOUND=return] files


ethers:     files

netmasks:   files

networks:   files

protocols:  files

rpc:        files

services:   files sss


netgroup:   files sss


publickey:  nisplus


automount:  files ldap

aliases:    files nisplus


And here is the /etc/pam.d/password-auth-ac file:


[root@monitor:~] #grep -v "#"  /etc/pam.d/password-auth-ac 

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_sss.so use_first_pass

auth        required      pam_deny.so


account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_sss.so use_authtok

password    required      pam_deny.so


session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_mkhomedir.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_sss.so


And here's the /etc/pam.d/system-auth-ac on the target host:


[root@monitor:~] #grep -v "#"  /etc/pam.d/system-auth-ac 

auth        required      pam_env.so

auth        sufficient    pam_unix.so nullok try_first_pass

auth        requisite     pam_succeed_if.so uid >= 500 quiet

auth        sufficient    pam_sss.so use_first_pass

auth        required      pam_deny.so


account     required      pam_unix.so broken_shadow

account     sufficient    pam_localuser.so

account     sufficient    pam_succeed_if.so uid < 500 quiet

account     [default=bad success=ok user_unknown=ignore] pam_sss.so

account     required      pam_permit.so


password    requisite     pam_cracklib.so try_first_pass retry=3 type=

password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok

password    sufficient    pam_sss.so use_authtok

password    required      pam_deny.so


session     optional      pam_keyinit.so revoke

session     required      pam_limits.so

session     optional      pam_mkhomedir.so

session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid

session     required      pam_unix.so

session     optional      pam_sss.so


I'm just wondering if there might be a problem in the config or what I can possibly do to nail down the source of the problem.



Thanks

Tim





-- 

GPG me!!

gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B