Hi All,
I have setup a LDAP service on host A, and configure ldap client on host B. when I tried to login host B with user which already added in LDAP server, it report error even through I enter right passwd
shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password:"
and, I can su to user shanzhi.yu on host B
[root@ host B ~]# su shanzhi.yu [shanzhi.yu@ host B root]$ cd [shanzhi.yu@ host B ~]$
What's the problem? any config should I do? Thanks
On 12/18/16 18:40 +0800, Frank Yu wrote:
I have setup a LDAP service on host A, and configure ldap client on host B. when I tried to login host B with user which already added in LDAP server, it report error even through I enter right passwd
shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password:"
and, I can su to user shanzhi.yu on host B
[root@ host B ~]# su shanzhi.yu [shanzhi.yu@ host B root]$ cd [shanzhi.yu@ host B ~]$
There are too many missing variables to give you specific advice. General trouble shooting steps would include:
1) Enable server side (ssh) debugging to glean additional insight into the problem.
2) Verify your ssh server config has pam enabled (assuming you're using an ldap based pam module).
3) And if you are depending on pam to perform authentication, verify your pam config with pamtester. Consult your pam ldap module documentation as pam tends to be one of the more complicated parts of this type of setup.
Hi Dan,
Thanks for your info. Now I have openldap server setup on host dc001, and I install nss-pam-ldapd-0.8.13-8.el7.x86_64 on client dc005.
And I configure system-auth/nsswitch.conf/nslcd.conf on dc005 as below:
*# cat /etc/pam.d/system-auth*
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
*nsswitch.conf was configured as below:*
# egrep -v ^# /etc/nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss aliases: files nisplus
*nslcd.conf was configured as below:*
# egrep -v ^# /etc/nslcd.conf
uri ldap://10.9.1.61:389 base dc=hosso,dc=cc uid nslcd gid ldap
ssl no tls_cacertdir /etc/openldap/cacerts
and I have a user on ldap server as below:
dn: cn=luo.lu,ou=regular,dc=hosso,dc=cc cn: luo.lu displayname: luo.lu employeenumber: 10138 employeetype: regular gidnumber: 501 givenname: luo homedirectory: /home/luo.lu loginshell: /bin/bash mail: luo.lu@hosso.cc objectclass: inetOrgPerson objectclass: posixAccount sn: lu uid: luo.lu uidnumber: 10138 userpassword: test
when I try to login dc005 with user luo.lu from local, I get below log from /var/log/slapd/slapd.log on dc001.
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH attr=uid uidNumber Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu ,ou=regular,dc=hosso,dc=cc)))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH attr=memberUid cn gidNumber member Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SEARCH RESULT tag=101 err=0 nentries=0 text=
Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text=
when I ssh dc005 with root, then su to luo.lu(yes, it can be done) I get below log:
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH attr=uid uidNumber Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu ,ou=regular,dc=hosso,dc=cc)))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH attr=memberUid cn gidNumber member Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uidNumber=10138))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uidNumber) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=luo.lu))" Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:13 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text=
Can you help take a look? Great thanks. it confused me for long time
2016-12-20 1:01 GMT+08:00 Dan White dwhite@cafedemocracy.org:
On 12/18/16 18:40 +0800, Frank Yu wrote:
I have setup a LDAP service on host A, and configure ldap client on host B. when I tried to login host B with user which already added in LDAP server, it report error even through I enter right passwd
shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password:"
and, I can su to user shanzhi.yu on host B
[root@ host B ~]# su shanzhi.yu [shanzhi.yu@ host B root]$ cd [shanzhi.yu@ host B ~]$
There are too many missing variables to give you specific advice. General trouble shooting steps would include:
- Enable server side (ssh) debugging to glean additional insight into the
problem.
- Verify your ssh server config has pam enabled (assuming you're using an
ldap based pam module).
- And if you are depending on pam to perform authentication, verify your
pam config with pamtester. Consult your pam ldap module documentation as pam tends to be one of the more complicated parts of this type of setup.
I can see this log from audit.log when try to login
type=CRYPTO_KEY_USER msg=audit(1482399412.824:11835): pid=23100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=61:0c:5a:cd:1e:e1:56:a0:b7:b4:5d:65:42:79:45:97 direction=? spid=23100 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1482399412.825:11836): pid=23100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=80:86:05:ef:8e:78:53:61:f0:4a:f0:f4:7a:0c:c5:1c direction=? spid=23100 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1482399412.825:11837): pid=23100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=29:c8:51:46:13:ea:ab:6b:1a:c1:95:07:60:73:a2:6a direction=? spid=23100 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1482399412.833:11838): pid=23099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=23100 suid=74 rport=50693 laddr=10.10.10.35 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1482399412.833:11839): pid=23099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client cipher=chacha20-poly1305@openssh.com ksize=512 mac= pfs=curve25519-sha256@libssh.org spid=23100 suid=74 rport=50693 laddr=10.10.10.35 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=USER_AUTH msg=audit(1482399412.928:11840): pid=23099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="luo.lu" exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=ssh res=failed'
2016-12-22 15:46 GMT+08:00 Frank Yu flyxiaoyu@gmail.com:
Hi Dan,
Thanks for your info. Now I have openldap server setup on host dc001, and I install nss-pam-ldapd-0.8.13-8.el7.x86_64 on client dc005.
And I configure system-auth/nsswitch.conf/nslcd.conf on dc005 as below:
*# cat /etc/pam.d/system-auth*
#%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [default=1 success=ok] pam_localuser.so auth [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_ldap.so auth required pam_deny.so
account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= password sufficient pam_unix.so sha512 nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so
session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so
*nsswitch.conf was configured as below:*
# egrep -v ^# /etc/nsswitch.conf
passwd: files ldap shadow: files ldap group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss
netgroup: files sss
publickey: nisplus
automount: files sss aliases: files nisplus
*nslcd.conf was configured as below:*
# egrep -v ^# /etc/nslcd.conf
uri ldap://10.9.1.61:389 base dc=hosso,dc=cc uid nslcd gid ldap
ssl no tls_cacertdir /etc/openldap/cacerts
and I have a user on ldap server as below:
dn: cn=luo.lu,ou=regular,dc=hosso,dc=cc cn: luo.lu displayname: luo.lu employeenumber: 10138 employeetype: regular gidnumber: 501 givenname: luo homedirectory: /home/luo.lu loginshell: /bin/bash mail: luo.lu@hosso.cc objectclass: inetOrgPerson objectclass: posixAccount sn: lu uid: luo.lu uidnumber: 10138 userpassword: test
when I try to login dc005 with user luo.lu from local, I get below log from /var/log/slapd/slapd.log on dc001.
Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH attr=uid uidNumber Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu,ou=regular, dc=hosso,dc=cc)))" Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH attr=memberUid cn gidNumber member Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SEARCH RESULT tag=101 err=0 nentries=0 text=
Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text=
when I ssh dc005 with root, then su to luo.lu(yes, it can be done) I get below log:
Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH attr=uid uidNumber Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu,ou=regular, dc=hosso,dc=cc)))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH attr=memberUid cn gidNumber member Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (memberUid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (member) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SEARCH RESULT tag=101 err=0 nentries=0 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uidNumber=10138))" Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uidNumber) not indexed Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text= Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= posixAccount)(uid=luo.lu))" Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH attr=loginShell cn gidNumber uidNumber objectClass homeDirectory gecos uid Dec 22 15:26:13 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not indexed Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SEARCH RESULT tag=101 err=0 nentries=1 text=
Can you help take a look? Great thanks. it confused me for long time
2016-12-20 1:01 GMT+08:00 Dan White dwhite@cafedemocracy.org:
On 12/18/16 18:40 +0800, Frank Yu wrote:
I have setup a LDAP service on host A, and configure ldap client on host B. when I tried to login host B with user which already added in LDAP server, it report error even through I enter right passwd
shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password: debug3: send packet: type 50 debug2: we sent a password packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password Permission denied, please try again. shanzhi.yu@10.10.10.101's password:"
and, I can su to user shanzhi.yu on host B
[root@ host B ~]# su shanzhi.yu [shanzhi.yu@ host B root]$ cd [shanzhi.yu@ host B ~]$
There are too many missing variables to give you specific advice. General trouble shooting steps would include:
- Enable server side (ssh) debugging to glean additional insight into the
problem.
- Verify your ssh server config has pam enabled (assuming you're using an
ldap based pam module).
- And if you are depending on pam to perform authentication, verify your
pam config with pamtester. Consult your pam ldap module documentation as pam tends to be one of the more complicated parts of this type of setup.
-- Regards Frank Yu
On 12/22/16 17:39 +0800, Frank Yu wrote:
I can see this log from audit.log when try to login
type=USER_AUTH msg=audit(1482399412.928:11840): pid=23099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="luo.lu" exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=ssh res=failed'
I presume you are using selinux? If so I can't offer much help here other than to suggest disabling it in a lab environment to see if that's what's tripping you up.
Can you get better logging from sshd?
openldap-technical@openldap.org
-
Dan White -
Frank Yu