8:36 a.m.
Hey all,
I'm trying to get down to the bottom of a slight mystery we're having. We
have a situation where some account stored in LDAP (using openldap) can log
into some hosts but not others using their LDAP account information.
To demonstrate, I take one of the users who is trying to login and verify
that he does not have a local account on the target computer:
[root@monitor:~] #grep spencer /etc/passwd
[root@monitor:~] #
[root@monitor:~] #id spencer
id: spencer: No such user
But the user should have the ability to login via their LDAP account:
[root@monitor:~] #getent passwd | grep spencer
spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash
But when I attempt to log into the host using his password (this is a test
account and I know the password) I get permission denied:
[me@home:~/creds] #ssh spencer(a)monitor.jokefire.com
spencer(a)monitor.jokefire.com's password:
Permission denied, please try again.
spencer(a)monitor.jokefire.com's password:
Permission denied, please try again.
spencer(a)monitor.jokefire.com's password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
And in the 'secure' log file on the host I'm trying to log into I see the
following:
Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx
Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user
spencer
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user
unknown
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=
ool-182e9727.dyn.optonline.net
Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer
Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user
spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user
unknown
Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer
Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user
spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user
unknown
Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer
Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user
spencer from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net
Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx
Yet if I try logging in with another test account on the same host that
denied 'spencer' I am able to. The other account I'm testing with is called
'leo':
[walkiriasoares@wal-mac:~/creds] #ssh leo(a)monitor.jokefire.com
leo(a)monitor.jokefire.com's password:
Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net
,--,------,--. ,--. ,--. ,--. ,--.
| | .---| `.' |,---.,--,--,,-' '-`--,-' '-.,---.,--.--.
,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--'
| '-' | |` | | | ' '-' | || | | | | | | | '
'-' | |
`-----'`--' `--' `--'`---'`--''--' `--' `--'
`--' `---'`--'
[leo@monitor ~]$
And I am able to verify that 'leo' does not have a local account:
[root@monitor:~] #grep leo /etc/passwd
[root@monitor:~] #
However I can get a unix id on this account:
[root@monitor:~] #id leo
uid=10005(leo) gid=5000(admins) groups=5000(admins)
And getent also shows that he is has an account:
[root@monitor:~] #getent passwd | grep leo
leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash
However if I shift gears and try to log into the Ldap server itself (using
the same passwords), I can with both accounts.
[me@home:~] #ssh -qt spencer(a)ldap01.example.com
spencer(a)ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
[me@home~] #ssh -qt leo(a)ldap01.example.com
leo(a)ldap01.example.com's password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
Again I can verify that neither account is local to the ldap server:
[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd
[root@ldap01:~] #
Here's what my nsswitch looks like on the monitoring host (where spencer
can't login but leo can):
[root@monitor:~] #grep -v "#" /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files
rpc: files
services: files sss
netgroup: files sss
publickey: nisplus
automount: files ldap
aliases: files nisplus
And here is the /etc/pam.d/password-auth-ac file:
[root@monitor:~] #grep -v "#" /etc/pam.d/password-auth-ac
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
And here's the /etc/pam.d/system-auth-ac on the target host:
[root@monitor:~] #grep -v "#" /etc/pam.d/system-auth-ac
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass
use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond
quiet use_uid
session required pam_unix.so
session optional pam_sss.so
I'm just wondering if there might be a problem in the config or what I can
possibly do to nail down the source of the problem.
Thanks
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
1:21 p.m.
Tim Dunphy wrote:
Hey all,
I'm trying to get down to the bottom of a slight mystery we're having. We
have a situation where some account stored in LDAP (using openldap) can log
into some hosts but not others using their LDAP account information.
To demonstrate, I take one of the users who is trying to login and verify that
he does not have a local account on the target computer:
[root@monitor:~] #grep spencer /etc/passwd
[root@monitor:~] #
[root@monitor:~] #id spencer
id: spencer: No such user
You have a problem already, the id command should return spencer's account
info if everything is configured correctly.
But the user should have the ability to login via their LDAP account:
[root@monitor:~] #getent passwd | grep spencer
spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash
Assuming your PAM and NSS are configured correctly, this usually indicates
that you have NSCD running on your system, and its cache is stale. Do a google
search on NSCD problems - it's well established fact that NSCD is broken by
design and is unusable.
Your nsswitch config shows you're using RedHat's SSSD. SSSD also caches
information, and there are also many problems with its caching implementation.
Again, SSSD is not recommended. The recommended software is nssov (+pcache if
you still want caching).
But when I attempt to log into the host using his password (this is a test
account and I know the password) I get permission denied:
[me@home:~/creds] #ssh spencer(a)monitor.jokefire.com
<mailto:spencer@monitor.jokefire.com>
spencer(a)monitor.jokefire.com <mailto:spencer@monitor.jokefire.com>'s password:
Permission denied, please try again.
spencer(a)monitor.jokefire.com <mailto:spencer@monitor.jokefire.com>'s password:
Permission denied, please try again.
spencer(a)monitor.jokefire.com <mailto:spencer@monitor.jokefire.com>'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).
And in the 'secure' log file on the host I'm trying to log into I see the
following:
Mar 9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx
Mar 9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ool-182e9727.dyn.optonline.net <http://ool-182e9727.dyn.optonline.net>
Mar 9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer
Mar 9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer
from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer
Mar 9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer
from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown
Mar 9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer
Mar 9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer
from xx.xx.xx.xx port 59017 ssh2
Mar 9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx
Mar 9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net
<http://ool-182e9727.dyn.optonline.net>
Mar 9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx
Yet if I try logging in with another test account on the same host that denied
'spencer' I am able to. The other account I'm testing with is called
'leo':
[walkiriasoares@wal-mac:~/creds] #ssh leo(a)monitor.jokefire.com
<mailto:leo@monitor.jokefire.com>
leo(a)monitor.jokefire.com <mailto:leo@monitor.jokefire.com>'s password:
Last login: Sun Mar 9 10:32:52 2014 from ool-xxxx.dyn.optonline.net
<http://ool-xxxx.dyn.optonline.net>
,--,------,--. ,--. ,--. ,--. ,--.
| | .---| `.' |,---.,--,--,,-' '-`--,-'
'-.,---.,--.--.
,--. | | `--,| |'.'| | .-. | '-. .-,--'-. .-| .-. | .--'
| '-' | |` | | | ' '-' | || | | | | | | | '
'-' | |
`-----'`--' `--' `--'`---'`--''--' `--'
`--' `--' `---'`--'
[leo@monitor ~]$
And I am able to verify that 'leo' does not have a local account:
[root@monitor:~] #grep leo /etc/passwd
[root@monitor:~] #
However I can get a unix id on this account:
[root@monitor:~] #id leo
uid=10005(leo) gid=5000(admins) groups=5000(admins)
And getent also shows that he is has an account:
[root@monitor:~] #getent passwd | grep leo
leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash
However if I shift gears and try to log into the Ldap server itself (using the
same passwords), I can with both accounts.
[me@home:~] #ssh -qt spencer(a)ldap01.example.com
<mailto:spencer@ldap01.example.com>
spencer(a)ldap01.example.com <mailto:spencer@ldap01.example.com>'s password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
[me@home~] #ssh -qt leo(a)ldap01.example.com <mailto:leo@ldap01.example.com>
leo(a)ldap01.example.com <mailto:leo@ldap01.example.com>'s password:
Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)
Again I can verify that neither account is local to the ldap server:
[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd
[root@ldap01:~] #
Here's what my nsswitch looks like on the monitoring host (where spencer can't
login but leo can):
[root@monitor:~] #grep -v "#" /etc/nsswitch.conf
passwd: files sss
shadow: files sss
group: files sss
hosts: files dns
I'm just wondering if there might be a problem in the config or
what I can
possibly do to nail down the source of the problem.
Thanks
Tim
--
GPG me!!
gpg --keyserver pool.sks-keyservers.net <http://pool.sks-keyservers.net>
--recv-keys F186197B
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
3558
days inactive
3558
days old
openldap-technical@openldap.org
1 comments
2 participants
participants (2)
-
Howard Chu -
Tim Dunphy