Re: LDAP User can't login can su to with root account

[Dan White <dwhite@cafedemocracy.org>]

On 12/18/16 18:40 +0800, Frank Yu wrote:
> I have setup a LDAP service on host A, and configure ldap client on host B.
> when I tried to login host B with user which already added in LDAP server,
> it report error even through I enter right passwd
>
> shanzhi.yu@10.10.10.101's password:
> debug3: send packet: type 50
> debug2: we sent a password packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> Permission denied, please try again.
> shanzhi.yu@10.10.10.101's password:
> debug3: send packet: type 50
> debug2: we sent a password packet, wait for reply
> debug3: receive packet: type 51
> debug1: Authentications that can continue:
> publickey,gssapi-keyex,gssapi-with-mic,password
> Permission denied, please try again.
> shanzhi.yu@10.10.10.101's password:"
>
> and, I can su to user shanzhi.yu on host B
>
> [root@
> ​host B
> ~]# su shanzhi.yu
> [shanzhi.yu@
> ​host B
> root]$ cd
> [shanzhi.yu@
> ​host B
> ~]$

There are too many missing variables to give you specific advice. General
trouble shooting steps would include:

1) Enable server side (ssh) debugging to glean additional insight into the
problem.

2) Verify your ssh server config has pam enabled (assuming you're using an
ldap based pam module).

3) And if you are depending on pam to perform authentication, verify your
pam config with pamtester. Consult your pam ldap module documentation as
pam tends to be one of the more complicated parts of this type of setup.