Hey all,
I'm trying to get down to the bottom of a slight mystery we're having. We have a situation where some account stored in LDAP (using openldap) can log into some hosts but not others using their LDAP account information.
To demonstrate, I take one of the users who is trying to login and verify that he does not have a local account on the target computer:
[root@monitor:~] #grep spencer /etc/passwd [root@monitor:~] #
[root@monitor:~] #id spencer id: spencer: No such user
But the user should have the ability to login via their LDAP account:
[root@monitor:~] #getent passwd | grep spencer spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash
But when I attempt to log into the host using his password (this is a test account and I know the password) I get permission denied:
[me@home:~/creds] #ssh spencer@monitor.jokefire.com spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
And in the 'secure' log file on the host I'm trying to log into I see the following:
Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx
Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= ool-182e9727.dyn.optonline.net
Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net
Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx
Yet if I try logging in with another test account on the same host that denied 'spencer' I am able to. The other account I'm testing with is called 'leo':
[walkiriasoares@wal-mac:~/creds] #ssh leo@monitor.jokefire.com
leo@monitor.jokefire.com's password:
Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net
,--,------,--. ,--. ,--. ,--. ,--.
| | .---| `.' |,---.,--,--,,-' '-`--,-' '-.,---.,--.--.
,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--'
| '-' | |` | | | ' '-' | || | | | | | | | ' '-' | |
`-----'`--' `--' `--'`---'`--''--' `--' `--' `--' `---'`--'
[leo@monitor ~]$
And I am able to verify that 'leo' does not have a local account:
[root@monitor:~] #grep leo /etc/passwd
[root@monitor:~] #
However I can get a unix id on this account:
[root@monitor:~] #id leo
uid=10005(leo) gid=5000(admins) groups=5000(admins)
And getent also shows that he is has an account:
[root@monitor:~] #getent passwd | grep leo
leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash
However if I shift gears and try to log into the Ldap server itself (using the same passwords), I can with both accounts.
[me@home:~] #ssh -qt spencer@ldap01.example.com
spencer@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
[me@home~] #ssh -qt leo@ldap01.example.com
leo@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
Again I can verify that neither account is local to the ldap server:
[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd
[root@ldap01:~] #
Here's what my nsswitch looks like on the monitoring host (where spencer can't login but leo can):
[root@monitor:~] #grep -v "#" /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
And here is the /etc/pam.d/password-auth-ac file:
[root@monitor:~] #grep -v "#" /etc/pam.d/password-auth-ac
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
And here's the /etc/pam.d/system-auth-ac on the target host:
[root@monitor:~] #grep -v "#" /etc/pam.d/system-auth-ac
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
I'm just wondering if there might be a problem in the config or what I can possibly do to nail down the source of the problem.
Thanks
Tim
Tim Dunphy wrote:
Hey all,
I'm trying to get down to the bottom of a slight mystery we're having. We have a situation where some account stored in LDAP (using openldap) can log into some hosts but not others using their LDAP account information.
To demonstrate, I take one of the users who is trying to login and verify that he does not have a local account on the target computer:
[root@monitor:~] #grep spencer /etc/passwd [root@monitor:~] #
[root@monitor:~] #id spencer id: spencer: No such user
You have a problem already, the id command should return spencer's account info if everything is configured correctly.
But the user should have the ability to login via their LDAP account:
[root@monitor:~] #getent passwd | grep spencer spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash
Assuming your PAM and NSS are configured correctly, this usually indicates that you have NSCD running on your system, and its cache is stale. Do a google search on NSCD problems - it's well established fact that NSCD is broken by design and is unusable.
Your nsswitch config shows you're using RedHat's SSSD. SSSD also caches information, and there are also many problems with its caching implementation. Again, SSSD is not recommended. The recommended software is nssov (+pcache if you still want caching).
But when I attempt to log into the host using his password (this is a test account and I know the password) I get permission denied:
[me@home:~/creds] #ssh spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com's password: Permission denied, please try again. spencer@monitor.jokefire.com mailto:spencer@monitor.jokefire.com's password: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
And in the 'secure' log file on the host I'm trying to log into I see the following:
Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx
Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net http://ool-182e9727.dyn.optonline.net
Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error retrieving information about user spencer
Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net http://ool-182e9727.dyn.optonline.net
Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx
Yet if I try logging in with another test account on the same host that denied 'spencer' I am able to. The other account I'm testing with is called 'leo':
[walkiriasoares@wal-mac:~/creds] #ssh leo@monitor.jokefire.com mailto:leo@monitor.jokefire.com
leo@monitor.jokefire.com mailto:leo@monitor.jokefire.com's password:
Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net http://ool-xxxx.dyn.optonline.net
,--,------,--. ,--. ,--. ,--. ,--. | | .---| `.' |,---.,--,--,,-' '-`--,-' '-.,---.,--.--.,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--'
| '-' | |` | | | ' '-' | || | | | | | | | ' '-' | |
`-----'`--' `--' `--'`---'`--''--' `--' `--' `--' `---'`--'
[leo@monitor ~]$
And I am able to verify that 'leo' does not have a local account:
[root@monitor:~] #grep leo /etc/passwd
[root@monitor:~] #
However I can get a unix id on this account:
[root@monitor:~] #id leo
uid=10005(leo) gid=5000(admins) groups=5000(admins)
And getent also shows that he is has an account:
[root@monitor:~] #getent passwd | grep leo
leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash
However if I shift gears and try to log into the Ldap server itself (using the same passwords), I can with both accounts.
[me@home:~] #ssh -qt spencer@ldap01.example.com mailto:spencer@ldap01.example.com
spencer@ldap01.example.com mailto:spencer@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
[me@home~] #ssh -qt leo@ldap01.example.com mailto:leo@ldap01.example.com
leo@ldap01.example.com mailto:leo@ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
Again I can verify that neither account is local to the ldap server:
[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd
[root@ldap01:~] #
Here's what my nsswitch looks like on the monitoring host (where spencer can't login but leo can):
[root@monitor:~] #grep -v "#" /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
I'm just wondering if there might be a problem in the config or what I can possibly do to nail down the source of the problem.
Thanks
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net http://pool.sks-keyservers.net --recv-keys F186197B
openldap-technical@openldap.org
-
Howard Chu -
Tim Dunphy