Hello, I have a two different user accounts and one works the other not so much. The account user03 works on both Solaris 10 and RHEL clients. While test01 can do everything but login to the Solaris 10 client, I can use this account to login to the RHEL client though. Can someone look at my accounts below and tell me why user03 works and test01 doesn't?
# user03, People, test.net dn: uid=user03,ou=People,dc=test,dc=net uid: user03 cn: user03 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 603 gidNumber: 500 homeDirectory: /home/user03 gecos: user03
# test01, People, test.net dn: uid:test01,ou=People,dc=test,dc=net uid: test01 cn: test01 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 701 gidNumber: 500 homeDirectory: /home/test01
# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=test,dc=net NS_LDAP_BINDPASSWD= password NS_LDAP_SERVERS= X.X.X.X:389 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_SERVER_PREF= X.X.X.X NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=test,dc=net NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
I'm still testing so I ran ldapclient manual. When I feel that I have the the right setting, I will load the profile into LDAP. Any suggestions will be great.
On 14.12.2011 19:08, NetNinja wrote:
Hello, I have a two different user accounts and one works the other not so much. The account user03 works on both Solaris 10 and RHEL clients. While test01 can do everything but login to the Solaris 10 client, I can use this account to login to the RHEL client though. Can someone look at my accounts below and tell me why user03 works and test01 doesn't?
# user03, People, test.net dn: uid=user03,ou=People,dc=test,dc=net uid: user03 cn: user03 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 603 gidNumber: 500 homeDirectory: /home/user03 gecos: user03
# test01, People, test.net dn: uid:test01,ou=People,dc=test,dc=net
Wrong dn, but I guess thats a mistake with copy&paste ;)
uid: test01 cn: test01 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 701 gidNumber: 500 homeDirectory: /home/test01
# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=test,dc=net NS_LDAP_BINDPASSWD= password NS_LDAP_SERVERS= X.X.X.X:389 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_SERVER_PREF= X.X.X.X NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=test,dc=net NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
I'm still testing so I ran ldapclient manual. When I feel that I have the the right setting, I will load the profile into LDAP. Any suggestions will be great.
Is there anything in the auth log file? You should see some pam errors. Can you fetch both user with getent?
All commands I try work on both OS's. On the Solaris server su or ssh test01@sol10-1 doesn't work. The user03 account works in just fine.
On sol10-1 in the log /var/adm/messages I get this error when I ssh: libsldap:Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials keyboard-interactive (PAM) userauth failed[9] while authentication: Authentication failed.
On sol10-1 in the log /var/adm/messages I get this error when I su: libsldap:Status: 49 Mesg: openConnection: simple bind failed - Invalid credentials 'su test01' failed for user03 on /dev/pts/3
On Wed, Dec 14, 2011 at 1:45 PM, Raffael Sahli public@raffaelsahli.com wrote:
On 14.12.2011 19:08, NetNinja wrote:
Hello, I have a two different user accounts and one works the other not so much. The account user03 works on both Solaris 10 and RHEL clients. While test01 can do everything but login to the Solaris 10 client, I can use this account to login to the RHEL client though. Can someone look at my accounts below and tell me why user03 works and test01 doesn't?
# user03, People, test.net dn: uid=user03,ou=People,dc=test,dc=net uid: user03 cn: user03 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 603 gidNumber: 500 homeDirectory: /home/user03 gecos: user03
# test01, People, test.net dn: uid:test01,ou=People,dc=test,dc=net
Wrong dn, but I guess thats a mistake with copy&paste ;)
I hand typed all this. yes that was a typo. Also I made a typo with this shadowMax: 0 should be shadowMin: 0
uid: test01 cn: test01 objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowMin: 0 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 701 gidNumber: 500 homeDirectory: /home/test01
# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=test,dc=net NS_LDAP_BINDPASSWD= password NS_LDAP_SERVERS= X.X.X.X:389 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_SERVER_PREF= X.X.X.X NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=test,dc=net NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
I'm still testing so I ran ldapclient manual. When I feel that I have the the right setting, I will load the profile into LDAP. Any suggestions will be great.
Is there anything in the auth log file? You should see some pam errors. Can you fetch both user with getent?
-- Raffael Sahli public@raffaelsahli.com
On Wednesday, 14 December 2011 20:08:37 NetNinja wrote:
Hello, I have a two different user accounts and one works the other not so much. The account user03 works on both Solaris 10 and RHEL clients. While test01 can do everything but login to the Solaris 10 client, I can use this account to login to the RHEL client though. Can someone look at my accounts below and tell me why user03 works and test01 doesn't?
# user03, People, test.net dn: uid=user03,ou=People,dc=test,dc=net
[...]
shadowMax: 99999
# test01, People, test.net dn: uid:test01,ou=People,dc=test,dc=net
[...]
shadowMax: 0 shadowMax: 99999
It could be your shadowMax: 0
# ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=test,dc=net NS_LDAP_BINDPASSWD= password NS_LDAP_SERVERS= X.X.X.X:389 NS_LDAP_SEARCH_BASEDN= dc=test,dc=net NS_LDAP_SERVER_PREF= X.X.X.X NS_LDAP_CACHETTL= 0 NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=test,dc=net NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=test,dc=net NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
I'm still testing so I ran ldapclient manual. When I feel that I have the the right setting, I will load the profile into LDAP.
You didn't provide your full configuration for your RHEL client, but maybe it doesn't have access to the shadowMax attribute, or isn't using 'ldap' for shadow. Or maybe the presence of two values for shadowMax confuses the Solaris ldapclient.
Regards, Buchan
On Thu, Dec 15, 2011 at 2:21 AM, Buchan Milne bgmilne@staff.telkomsa.net wrote:
On Wednesday, 14 December 2011 20:08:37 NetNinja wrote:
Hello,
I have a two different user accounts and one works the other not so
much. The account user03 works on both Solaris 10 and RHEL clients.
While test01 can do everything but login to the Solaris 10 client, I
can use this account to login to the RHEL client though. Can someone
look at my accounts below and tell me why user03 works and test01
doesn't?
# user03, People, test.net
dn: uid=user03,ou=People,dc=test,dc=net
[...]
shadowMax: 99999
# test01, People, test.net
dn: uid:test01,ou=People,dc=test,dc=net
[...]
shadowMin: 0
shadowMax: 99999
It could be your shadowMax: 0
I made a typo there it should say shadowMin: 0. This could be it the other account doesn't have this line.
# ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= uid=proxyagent,ou=People,dc=test,dc=net
NS_LDAP_BINDPASSWD= password
NS_LDAP_SERVERS= X.X.X.X:389
NS_LDAP_SEARCH_BASEDN= dc=test,dc=net
NS_LDAP_SERVER_PREF= X.X.X.X
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=test,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=test,dc=net
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=test,dc=net
NS_LDAP_SERVICE_AUTH_METHOD= pam_ldap:simple
I'm still testing so I ran ldapclient manual. When I feel that I have
the the right setting, I will load the profile into LDAP.
You didn't provide your full configuration for your RHEL client, but maybe it doesn't have access to the shadowMax attribute, or isn't using 'ldap' for shadow. Or maybe the presence of two values for shadowMax confuses the Solaris ldapclient.
Regards,
Buchan
Thanks for your help. The RHEL clients work fine for both accounts. Only the Solaris client has issues with the test01 account.
I'm just trying to get the setup right for Solaris. Next step automount or autofs.
openldap-technical@openldap.org
-
Buchan Milne -
NetNinja -
Raffael Sahli