[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: user can't login via LDAP

To: Tim Dunphy <bluethundr@gmail.com>, "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Re: user can't login via LDAP
From: Howard Chu <hyc@symas.com>
Date: Sun, 09 Mar 2014 13:21:25 -0700
In-reply-to: <CAOZy0ek6oxpJyuh-QqO-F=GeC074yneBqCQ0LFDSWxXH1mEAXQ@mail.gmail.com>
References: <CAOZy0ek6oxpJyuh-QqO-F=GeC074yneBqCQ0LFDSWxXH1mEAXQ@mail.gmail.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Tim Dunphy wrote:


Hey all,

  I'm trying to get down to the bottom of a slight mystery we're having. We
have a situation where some account stored in LDAP (using openldap) can log
into some hosts but not others using their LDAP account information.

To demonstrate, I take one of the users who is trying to login and verify that
he does not have a local account on the target computer:

[root@monitor:~] #grep spencer /etc/passwd
[root@monitor:~] #

[root@monitor:~] #id spencer
id: spencer: No such user

You have a problem already, the id command should return spencer's accountinfo if everything is configured correctly.


But the user should have the ability to login via their LDAP account:

[root@monitor:~] #getent passwd | grep spencer
spencer :*:10002:5000:Spencer Brown :/home/spencer:/bin/bash

Assuming your PAM and NSS are configured correctly, this usually indicatesthat you have NSCD running on your system, and its cache is stale. Do a googlesearch on NSCD problems - it's well established fact that NSCD is broken bydesign and is unusable.

Your nsswitch config shows you're using RedHat's SSSD. SSSD also cachesinformation, and there are also many problems with its caching implementation.Again, SSSD is not recommended. The recommended software is nssov (+pcache ifyou still want caching).


But when I attempt to log into the host using his password (this is a test
account and I know the password) I get permission denied:


[me@home:~/creds] #ssh spencer@monitor.jokefire.com
<mailto:spencer@monitor.jokefire.com>
spencer@monitor.jokefire.com <mailto:spencer@monitor.jokefire.com>'s password:
Permission denied, please try again.
spencer@monitor.jokefire.com <mailto:spencer@monitor.jokefire.com>'s password:
Permission denied, please try again.
spencer@monitor.jokefire.com <mailto:spencer@monitor.jokefire.com>'s password:
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).


And in the 'secure' log file on the host I'm trying to log into I see the
following:

Mar  9 10:43:02 monitor sshd[23137]: Invalid user spencer from xx.xx.xx.xx

Mar  9 10:43:02 monitor sshd[23138]: input_userauth_request: invalid user spencer

Mar  9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown

Mar  9 10:43:06 monitor sshd[23137]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=ool-182e9727.dyn.optonline.net <http://ool-182e9727.dyn.optonline.net>

Mar  9 10:43:06 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer

Mar  9 10:43:08 monitor sshd[23137]: Failed password for invalid user spencer
from xx.xx.xx.xx port 59017 ssh2

Mar  9 10:43:11 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown

Mar  9 10:43:11 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer

Mar  9 10:43:13 monitor sshd[23137]: Failed password for invalid user spencer
from xx.xx.xx.xx port 59017 ssh2

Mar  9 10:43:14 monitor sshd[23496]: Connection closed by xx.xx.xx.xx

Mar  9 10:43:15 monitor sshd[23137]: pam_unix(sshd:auth): check pass; user unknown

Mar  9 10:43:15 monitor sshd[23137]: pam_succeed_if(sshd:auth): error
retrieving information about user spencer

Mar  9 10:43:17 monitor sshd[23137]: Failed password for invalid user spencer
from xx.xx.xx.xx port 59017 ssh2

Mar  9 10:43:17 monitor sshd[23138]: Connection closed by xx.xx.xx.xx

Mar  9 10:43:17 monitor sshd[23137]: PAM 2 more authentication failures;
logname= uid=0 euid=0 tty=ssh ruser= rhost=ool-182e9727.dyn.optonline.net
<http://ool-182e9727.dyn.optonline.net>

Mar  9 10:43:20 monitor sshd[23717]: Connection closed by xx.xx.xx.xx


Yet if I try logging in with another test account on the same host that denied
'spencer' I am able to. The other account I'm testing with is called 'leo':


[walkiriasoares@wal-mac:~/creds] #ssh leo@monitor.jokefire.com
<mailto:leo@monitor.jokefire.com>

leo@monitor.jokefire.com <mailto:leo@monitor.jokefire.com>'s password:

Last login: Sun Mar  9 10:32:52 2014 from ool-xxxx.dyn.optonline.net
<http://ool-xxxx.dyn.optonline.net>


      ,--,------,--.   ,--.              ,--. ,--. ,--.

      |  |  .---|   `.'   |,---.,--,--,,-'  '-`--,-'  '-.,---.,--.--.

,--. |  |  `--,|  |'.'|  | .-. |      '-.  .-,--'-.  .-| .-. |  .--'

|  '-'  |  |`  |  |   |  ' '-' |  ||  | |  | |  | |  | ' '-' |  |

  `-----'`--'   `--'   `--'`---'`--''--' `--' `--' `--'  `---'`--'

[leo@monitor ~]$


And I am able to verify that 'leo' does not have a local account:

[root@monitor:~] #grep leo /etc/passwd

[root@monitor:~] #

However I can get a unix id on this account:

[root@monitor:~] #id leo

uid=10005(leo) gid=5000(admins) groups=5000(admins)

And getent also shows that he is has an account:


[root@monitor:~] #getent passwd | grep leo

leo:*:10005:5000:Leo Demo :/home/leo:/bin/bash

However if I shift gears and try to log into the Ldap server itself (using the
same passwords), I can with both accounts.


[me@home:~] #ssh -qt spencer@ldap01.example.com
<mailto:spencer@ldap01.example.com>

spencer@ldap01.example.com <mailto:spencer@ldap01.example.com>'s password:

Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)


[me@home~] #ssh -qt leo@ldap01.example.com <mailto:leo@ldap01.example.com>

leo@ldap01.example.com <mailto:leo@ldap01.example.com>'s password:

Welcome to Ubuntu 12.04.3 LTS (GNU/Linux 3.2.0-54-virtual x86_64)


Again I can verify that neither account is local to the ldap server:

[root@ldap01:~] #egrep "(spencer|leo)" /etc/passwd

[root@ldap01:~] #


Here's what my nsswitch looks like on the monitoring host (where spencer can't
login but leo can):


[root@monitor:~] #grep -v "#" /etc/nsswitch.conf



passwd:     files sss

shadow:     files sss

group:      files sss


hosts:      files dns

I'm just wondering if there might be a problem in the config or what I can
possibly do to nail down the source of the problem.



Thanks

Tim





--

GPG me!!

gpg --keyserver pool.sks-keyservers.net <http://pool.sks-keyservers.net>
--recv-keys F186197B



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

References:
- user can't login via LDAP
  - From: Tim Dunphy <bluethundr@gmail.com>

Prev by Date: Re: Works with ldapsearch, but can't get it to work with ldap_search_ext_s()
Next by Date: missing ppolicy.la
Index(es):
- Chronological
- Thread