HT204088 Hi Pam,

I have purchased a tv episode which would not download. I also cannot delete it- it seems to have frozen. The same has happened when trying to download a movie. Now the comment comes up "not enough storage space to continue download". This has rendered my device useless at the moment in terms of downloads. Please, any advice, in simple non tech language would be greatly appreciated.
Margaret

Look at your purchase history to see what was purchased.
Change your password, in case it has been hacked.

Similar Messages

Unable to authenticate ssh via krb5 / PAM

Anyone able to help with a PAM / krb5 issue? I've got it to the point where it will generate a ticket with kinit and my principal and password, (shown with klist) when I try to ssh to my test box though, ssh authentication fails. looking through the logs (with debugging on, it looks like it's getting past the password check and then failing on something else? In otherwords, everything from the PAM-KRB5 module is indicating a success in the logs(PAM-KRB5 (auth): end: Success), but immediately after that, I get the following coming from sshd : Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied. Is it authenticating against more than one stack maybe?
Relevant stack lines from pam.conf (as far as I know) are:
sshd-kbdint auth required pam_unix_cred.so.1 debug
sshd-kbdint auth binding pam_krb5.so.1 debug
sshd-kbdint auth required pam_unix_auth.so.1 debug
Note* I've tried using both binding and sufficient for pam_krb5.so.1, keytab check is turned off via krb5.conf (verify_ap_req_nofail = false). I've been digging through man pages, manuals, mailing list archives and whatnot for a day or two, I figure there's just something simple that I'm missing.
Test host box is Solaris 10 update 3
Test client box is Solaris 10 update 3
kinit <principal> on the host prompts me for my password and when I enter it, it generates a ticket successfully (verified with klist)
client-machine$ ssh <kerberosprincipal>@<host>
returns the prompt:
Enter Kerberos password for <principal>
The original Kerberos configuration on my test host was done with a sys-unconfig and then plugging in the appropriate Kerberos info when prompted. I edited the krb5.conf as mentioned earlier to disable the keytab file requirement.
Any and all advice on what to check on this would be appreciated. In the meantime, I'm going to go back to the Sys Admin Docs Security Services guide and read the PAM section cover to cover again in case I missed something.
Thanks!
Below is my full pam.conf and a cut and paste of a full log transaction from the time an ssh request goes in until the login fails.
____begin /etc/pam.conf______
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth required pam_unix_auth.so.1
login auth required pam_dial_auth.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
##### - NOTE- This is the section I added
# Kerberized ssh service
sshd-kbdint auth required pam_unix_cred.so.1 debug
sshd-kbdint auth binding pam_krb5.so.1 debug
sshd-kbdint auth required pam_unix_auth.so.1 deb
##### - NOTE - End of the section I added.
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth required pam_unix_auth.so.1
# passwd command (explicit because of a different authentication module)
passwd auth required pam_passwd_auth.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1
other account required pam_unix_account.so.1
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
# Support for Kerberos V5 authentication and example configurations can
# be found in the pam_krb5(5) man page under the "EXAMPLES" section.
______end pam.conf__________
The ssh debug log entries for the entire transaction look like this:
* Sanitized - test host replaced with my.test.host, username replaced with the word principal, ssh client ip replaced with clientip
----- Begin ssh log-----
Feb 22 21:22:46 my.test.host sshd[398]: [ID 800047 auth.debug] debug1: Forked child 1127.
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.info] Connection from clientip port 46175
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.info] Connection from clientip port 46175
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Client protocol version 2.0; client software version Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: no match: Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Enabling compatibility mode for protocol 2.0
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Local version string SSH-2.0-Sun_SSH_1.1
Feb 22 21:22:46 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: list_hostkey_types: ssh-rsa,ssh-dss
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Failed to acquire GSS-API credentials for any mechanisms (No credentials were supplied, or the credentials were unavailable or inaccessible
Feb 22 21:22:47 my.test.host Unknown code 0
Feb 22 21:22:47 my.test.host )
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEXINIT received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: kex: client->server aes128-ctr hmac-md5 none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: kex: server->client aes128-ctr hmac-md5 none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, ctos: i-default
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Peer sent proposed langtags, stoc: i-default
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: We proposed langtags, ctos: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: We proposed langtags, stoc: ar-EG,ar-SA,bg-BG,ca-ES,cs-CZ,da-DK,de,de-AT,de-CH,de-DE,de-LU,el-CY,el-GR,en-AU,en-CA,en-GB,en-IE,en-MT,en-NZ,en-US,es,es-AR,es-BO,es-CL,es-CO,es-CR,es-EC,es-ES,es-GT,es-MX,es-NI,es-PA,es-PE,es-PY,es-SV,es-UY,es-VE,et-EE,fi-FI,fr,fr-BE,fr-CA,fr-CH,fr-FR,fr-LU,he-IL,hi-IN,hr-HR,hu-HU,is-IS,it,it-IT,ja-JP,ko,ko-KR,lt-LT,lv-LV,mk-MK,mt-MT,nb-NO,nl-BE,nl-NL,nn-NO,pl,pl-PL,pt-BR,pt-PT,ro-RO,ru,ru-RU,sh-BA,sk-SK,sl-SI,sq-AL,sr-CS,sv,sv-SE,th-TH,tr-TR,zh,zh-CN,zh-HK
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Negotiated main locale: C
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: Negotiated messages locale: C
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: dh_gen_key: priv key bits set: 131/256
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: bits set: 1617/3191
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: bits set: 1617/3191
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: newkeys: mode 1
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS sent
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: expecting SSH2_MSG_NEWKEYS
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: newkeys: mode 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: SSH2_MSG_NEWKEYS received
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: KEX done
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method none
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 0 initial attempt 0 failures 0 initial failures 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.info] Failed none for principal from clientip port 46175 ssh2
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.info] Failed none for principal from clientip port 46175 ssh2
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method keyboard-interactive
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 1 initial attempt 0 failures 1 initial failures 0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='principal'
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Feb 22 21:22:47 my.test.host sshd[1127]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: got 1 responses
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: PAM conv function returns PAM_SUCCESS
Feb 22 21:22:58 my.test.host sshd[1127]: [ID 179272 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: krb5_get_init_creds_password returns: SUCCESS
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 833335 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth returning 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 914654 auth.debug] PAM-KRB5 (auth): pam_sm_auth finalize ccname env, result =0, env ='KRB5CCNAME=FILE:/tmp/krb5cc_100', age = 0, status = 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 525286 auth.debug] PAM-KRB5 (auth): end: Success
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[7] while authorizing: Permission denied
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Failed keyboard-interactive for principal from clientip port 46175 ssh2
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.info] Failed keyboard-interactive for principal from clientip port 46175 ssh2
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: userauth-request for user principal service ssh-connection method keyboard-interactive
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: attempt 2 initial attempt 1 failures 2 initial failures 1
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 800047 auth.debug] debug1: keyboard-interactive devs
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 490997 auth.debug] PAM-KRB5 (auth): krb5_cleanup auth_status = 0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 655841 auth.debug] PAM-KRB5 (auth): pam_sm_authenticate flags=0
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 549540 auth.debug] PAM-KRB5 (auth): attempt_krb5_auth: start: user='principal'
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 704353 auth.debug] PAM-KRB5 (auth): Forwardable tickets requested
Feb 22 21:22:59 my.test.host sshd[1127]: [ID 912857 auth.debug] PAM-KRB5 (auth): Renewable tickets requested
------ end ssh log -------

Downgrade openssh to 5.5p1.
There is another post and a bug report about it.

Pam.conf does not use ldap for password length check when changing passwd

I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AM

you can try passwd -r ldap for changing the ldap passwds...

How to retrieve ip address of the server running PAM inside its module?

Hello all,
I've configured Solaris 8 with a deal of ip aliases on the network interface.
Also I've a handwritten PAM module to auth users. It have some specific functionality which is needed for me.
For the moment, this module need to be updated. This update requires a knowledge of IP address the user connecting to.
Is it possible to determine IP address (alias IP) of the machine inside PAM module the user connecting to?
Thank you for your answers.
Mikhail.

> Can i access the ip address of the DB server through SQL or PL/SQL code?
No. It is the wrong place to look.
Reason: a sever can, and often has, multiple IP addresses.
So when you run SQL or PL/SQL code (or a Java stored proc), that will likely report the 1st IP address of the server - and you could have connected via another IP address of that server.
The actual socket call to get the hostname returns an array of IP addresses. So which one is the correct one? How do you know whether or not your client session connected to the 1st IP in this array?
The correct place to look is at the socket handle for that Oracle session on the client. And determine to what IP address that socket is connected to.
This is not that easy - I do not think that the OCI exposes the socket handle it creates. But you can use kernel calls to get a list of established TCP sessions and to what IP address they're connected to. The netstat command on Windows and Unix/Linux is an example of how this can be done.

Kde and Pam related problems[solved]

And here they are, from /var/log/errors:
Jun 28 14:47:58 DreaM kdm: :0[2780]: PAM unable to dlopen(/lib/security/pam_console.so)
Jun 28 14:47:58 DreaM kdm: :0[2780]: PAM [dlerror: /lib/security/pam_console.so: cannot open shared object file: No such file or directory]
Jun 28 14:47:58 DreaM kdm: :0[2780]: PAM adding faulty module: /lib/security/pam_console.so
Jun 28 14:47:58 DreaM kde-np(pam_unix)[2780]: unrecognized option [service=system-auth]
Jun 28 14:47:58 DreaM kde-np(pam_unix)[2780]: unrecognized option [service=system-auth]
Any way to disable Pam in Kde?

Thanks a ton for this tip. Finally my logs will not be polluted with junk. I agree with you that the troublesome entries should be commented by default. Just like this:
#%PAM-1.0
auth required pam_nologin.so
auth required pam_permit.so
account required pam_unix.so #service=system-auth
password required pam_unix.so #service=system-auth
session required pam_unix.so #service=system-auth
session optional pam_console.so
session required pam_limits.so
EDIT:

How to use custom PAM module to unlock screen ?

Hi,
I actually use a custom PAM module for authentificate my users. This is working like a charm with sudo.
I wanted to add it with the login screen, the one that everyone use. I added my config in /etc/pam.d/authorization and everything is working. When I get a box prompting for a password, the plugin is activated. As excepted.
But my problem is that the plugin is not activated when my mac get the unlock screen after being on sleep. You know, the one where your screenpaper is shown and your image. How to do so?
Many thanks.
Regards,
Andy Pilate

Here is how I did it in my app:
<jbo:ApplicationModule id="am" configname="TestAMLocal" releasemode="Stateful" />
<jbo:DataSource id="ds" appid="am" viewobject="TestView" rangesize="3"/>
<%
TestAM am2 = (TestAM) TestAM.useApplicationModule();
am2.TestClient();
%>
Hope this helps.

Broken functionality after update (gnome, pam, glib2, systemd, etc.)

I upgraded my system yesterday after going for a month or two without updates and a ton of authentication-related stuff broke. Here are some of the issues/symptoms I'm currently experiencing:
Seeing this message in journalctl:
May 22 13:13:50 deepspace1 slim[203]: pam_loginuid(slim:session): set_loginuid failed
Pulseaudio is not started when logged into GNOME; aplay does not list any cards when invoked by my user:
[mcmlxxxvi@deepspace1 ~]$ aplay -l
aplay: device_list:268: no soundcards found...
[mcmlxxxvi@deepspace1 ~]$ sudo aplay -l
**** List of PLAYBACK Hardware Devices ****
card 0: NVidia [HDA NVidia], device 0: ALC662 rev1 Analog [ALC662 rev1 Analog]
Subdevices: 1/1
Subdevice #0: subdevice #0
When I start pulseaudio manually, it only lists the dummy output.
USB sticks no longer auto-mount
I had been using GNOME 3 on forced fallback and logging in through SLiM.
I tried to upgrade libreoffice, which made me upgrade glib2 (to 2.36.2-1), which caused some other problems (pnglib, etc.) so eventually I upgraded everything (including kernel, systemd, pam (to 1.1.6-3) and gnome (to 3.8)) without rebooting. A couple of hours later I was suddenly thrown out of my session and saw something about some journaling/logging utility being passed too large a block (cannot find it in the logs at the moment) on the console. I rebooted and after logging in, gnome-session-failed (the "Oh no" screen) was started. GNOME started successfully when I logged in as root.
Googling around, some threads on here and based on the PAM message above, I tried to downgrade glib2 (to 2.36.1-3, 2.34.3-1, 2.34.2-2 and 2.32.4-1), to upgrade pam (to 1.1.6-4, which had appeared in the meantime) and then downgrade it (back to 1.1.6-3 and then to 1.1.6-1).
glib2 downgrade led to nowhere - later versions led to gnome-session-failed, while with earlier ones GNOME would not start at all). Downgrading pam led me to a situation where I received a "Login incorrect" after entering the username (both console & SLiM) which I had to fix through init=/bin/bash .
Following the advice here I cleared the hidden GNOME files and was finally able to log in (default mode, not fallback). Enabling fallback via gsettings (gsettings set org.gnome.desktop.session session-name gnome) brought back gnome-session-failed.
So I'm led to believe that I originally had 2 problems: fallback mode, which I read had been disabled, and the authentication problem. I'm currently struggling with the latter and would like help on how to approach the situation.
I'm not sure which logs would be needed for troubleshooting, and I'm still quite clumsy with journalctl, but will provide any logs requested.

You should *never* do partial upgrades. There is a reason why everywhere you see people saying that "partial upgrades are not supported".
I am not sure how you can be "clumsy with journalctl". As far as its most basic functionality, it is pretty darn straight forward. Though that is assuming you are willing to do a quick read of the man page... or even the output of "--help".

Solaris 10 onboard Apache 1.3.x authenticating against PAM?

Hi fellow admins,
can anyone give me some hints on how to get the Apache 1.3 delivered with Solaris 10 to authenticate against the local unix files (passwd + shadow, via PAM?)
I've grabbed mod_auth_pam, managed to compile it with some modifications to apxs and the Makefile, and Apache loads the module just fine,
but no matter how I set up my pam.conf, I always end up with "No account present for user" in my Apache log.
From googling for this string, I see that other people usually get a user name after "user ", which I don't - suggesting that Apache/mod_auth_pam doesn't pass the user name on to PAM?
On a side note.. I'm considering to move on to Apache 2.2.x soon anyways - is PAM authentication any easier with that version, or will I face the same problems?
My main reason for switching from htpasswd to PAM is the automatic account locking after X failed logins - can I get to this goal on a different route without PAM?

Compiling Apache 1.3 with gcc on linux or unix? If you are using unix, I would be compiling with cc and not gcc. You have gcc set to compile using regular expressions and I believe that has to be specified during SunOS install as posix compliant.

Server 280R is showing the error can't open PAM library

Hello Guys,
Please help me to overcome this error .server is showing the error can't open the PAM library contact system administrator.i heard that i have to install one package to fix this problem that package is SUNnspr.but this package i am not getting any where from sun site .so kindly any body can help me what to do now.shall i install the os again or any other process is there.and the server is also not booting.
Its very urgent

Try searching for SUNWnspr in your Solaris CDs / DVD. Its there. Once you find it, use pkgadd to install the package and if you have access to sunsolve, apply the latest nspr patch (I think this patch available for SunOS 5.8 in patch 119209-11, for SunOS 5.9 in patch 119211-11, for SunOS 5.10 in patch 119213-11, for SunOS 5.9_x86 in patch 119212-11, for SunOS 5.10_x86 in patch 119214-11).

[closed] PAM won't authenticate with mysql (make_scrambled_password)

Hi all,
I have spent some time searching for this and it seems I'm the only one having problem with PAM not authenticating through mysql so I thought I will post my problem here and if I find solution I will post here as well for others to follow.
In short - I'm running postfix with saslauthd and dovecot. Both are authenticating through pam employing mysql as credentials source.
Everything was working fine until today update - I can't connect to mail server any more and here is what I see in logs:
PAM unable to dlopen(/usr/lib/security/pam_mysql.so): /usr/lib/security/pam_mysql.so: undefined symbol: make_scrambled_password
PAM adding faulty module: /usr/lib/security/pam_mysql.so
DEBUG: auth_pam: pam_authenticate failed: Module is unknown
do_auth : auth failure: [user=xxxx] [service=smtp] [realm=xxxx] [mech=pam] [reason=PAM auth error]
So I may be wrong but to my understanding pam_mysql.so is using deprecated make_scrambled_password that is not supported by mysql any more.
I don't know what the solution would be and will appreciate if anybody can advice.
Many thanks in advance,
Greg
Last edited by Gregosky (2014-03-01 22:41:53)

Thanks, I have seen them but I thought this should be patched at source so no other Arch user would come across it.
I'm wondering why am I seeing this error now, after such a long time of using my postfix setup.. This must have been caused by latest update I ran yesterday as I have not modified any configuration.
I still did not find solution to this.
I submitted bug report on project page, hopefully some hints will arrive from there.
Now also submitted on Arch bug tracker.
Support for pam_mysql dropped. I will move to another backend. Case closed however there is no solution for pam_mysql.
Last edited by Gregosky (2014-03-01 22:40:54)

Solaris 10 with PAM, OpenSSH and OpenLDAP

Hi all,
Due to the mix of Linux and Solaris machines, we decided to do OpenLdap and OpenSSH on the Solaris machines as well. All works fine on the Linux machines, but we cannot get PAM authentification to work on the Solaris machines. I have a user in the ldap database esawyja, when the user su esawyja, it works, but the user cannot ssh into the server.
test5:/ $ su esawyja
test5:/ $ whoami
esawyja
test5:/ $ exit
exit
test5:/ $ whoami
root
test5:/ $
test5:/ $ ssh -v [email protected]
OpenSSH_5.8p1, OpenSSL 1.0.0a 1 Jun 2010
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Connecting to 10.1.1.5 [10.1.1.5] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /.ssh/id_rsa type -1
debug1: identity file /.ssh/id_rsa-cert type -1
debug1: identity file /.ssh/id_dsa type -1
debug1: identity file /.ssh/id_dsa-cert type -1
debug1: identity file /.ssh/id_ecdsa type -1
debug1: identity file /.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8
debug1: match: OpenSSH_5.8 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 1b:42:5b:37:e4:86:99:e1:af:81:bc:64:c8:68:a6:98
debug1: Host '10.1.1.5' is known and matches the RSA host key.
debug1: Found key in /.ssh/known_hosts:3
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /.ssh/id_rsa
debug1: Trying private key: /.ssh/id_dsa
debug1: Trying private key: /.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password:
from the debug parameter on the pam_ldap.so.1 in /etc/pam.conf, see below, I get the error pam_ldap: no legal authentication method configured
from /etc/pam.conf
sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_unix_cred.so.1
sshd auth binding pam_unix_auth.so.1 server_policy
sshd auth required pam_ldap.so.1 debug
Feb 17 14:48:19 test5.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:48:23 test5.company.com sshd[11347]: [ID 800047 auth.info] Failed password for esawyja from 10.1.1.215 port 51939 ssh2
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd root), flags = 1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:48:39 test5.company.com sshd[11349]: [ID 800047 auth.info] Failed password for root from 10.1.1.215 port 51941 ssh2
Feb 17 14:48:42 test5.company.com sshd[11349]: [ID 800047 auth.info] Accepted password for root from 10.1.1.215 port 51941 ssh2
Feb 17 14:54:59 test5.company.com su: [ID 366847 auth.info] 'su esawyja' succeeded for root on /dev/pts/10
Feb 17 14:55:32 test5.company.com sshd[8939]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd esawyja), flags = 1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 453631 auth.debug] tid= 1: Adding connection (serverAddr=127.0.0.1)
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 776464 auth.debug] tid= 1: Initialized sessionPool
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 816976 auth.debug] tid= 1: Connection added [0]
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 467101 auth.debug] tid= 1: connectionID=1024
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 805042 auth.debug] tid= 1: shared=1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 982078 auth.debug] tid= 1: usedBit=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 727660 auth.debug] tid= 1: threadID=1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 577507 auth.debug] tid= 1: serverAddr=127.0.0.1
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 939703 auth.debug] tid= 1: AuthType=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 142272 auth.debug] tid= 1: TlsType=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 537450 auth.debug] tid= 1: SaslMech=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 625532 auth.debug] tid= 1: SaslOpt=0
Feb 17 14:55:36 test5.company.com sshd[11602]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
Feb 17 14:55:36 test5.company.com sshd[11600]: [ID 800047 auth.error] error: PAM: Authentication failed for esawyja from 10.1.1.5
Feb 17 14:55:58 test5.company.com sshd[9612]: [ID 800047 auth.info] Received disconnect from 10.1.1.118: 11: disconnected by user
In the slapd logfile I get this
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access granted by read(=rscxd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 384072 local4.debug] => access_allowed: read access granted by read(=rscxd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 923158 local4.debug] => access_allowed: read access to "uid=esawyja,ou=People,dc=company,dc=com" "userPassword" requested
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [1]
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 184944 local4.debug] => dn: [2] cn=subschema
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 134411 local4.debug] => acl_get: [3] attr userPassword
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 105589 local4.debug] => slap_access_allowed: result not in cache (userPassword)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 971074 local4.debug] => acl_mask: access to entry "uid=esawyja,ou=People,dc=company,dc=com", attr "userPassword" requested
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 488679 local4.debug] => acl_mask: to value by "", (=0)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: self
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 704950 local4.debug] <= check a_dn_pat: *
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 279303 local4.debug] <= acl_mask: [2] applying auth(=xd) (stop)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 804284 local4.debug] <= acl_mask: [2] mask: auth(=xd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 737876 local4.debug] => slap_access_allowed: read access denied by auth(=xd)
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 127828 local4.debug] => access_allowed: no more rules
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 572208 local4.debug] send_search_entry: conn 437 access to attribute userPassword, value #0 not allowed
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 823432 local4.debug] AND
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 679408 local4.debug] begin get_filter_list
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 694368 local4.debug] EQUALITY
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 274773 local4.debug] end get_filter 0
Feb 17 14:59:11 test5.company.com slapd[8208]: [ID 119476 local4.debug] begin get_filter
The user looks like this in the ldap database
test5:/var/log $ ldaplist -l passwd esawyja
dn: uid=esawyja,ou=People,dc=company,dc=com
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
cn: xxxxxxxxxxxxxxxxxxxxx
uid: esawyja
loginShell: /usr/bin/bash
uidNumber: 1001
gidNumber: 500
homeDirectory: /home/admin/esawyja
shadowLastChange: 12193
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
shadowInactive: 1
shadowExpire: 12999
gecos: Wynand
test5:/var/log $
PLEASE I need help, been at this for the last week and I'm out of ideas
Thanks

I am not using OpenLDAP as a backend myself, I am using Sun/Oracle directory server. Initially this was version 5, and I have since upgraded to a mix of DS 6 and DS 7.
With Sun DS, you run the idsconfig command (/usr/lib/ldap/idsconfig) which helps configure the server with things like a client profile and appropriate access permissions (e.g compare password). it will also help configure a proxy account. Sun LDAP clients should NOT need a proxy account. Linux clients would need the proxy account.

OpenSSH 4.4p1 packages with PAM support for Solaris 9, 10

As mentioned in a previous post* , I've compiled OpenSSH packages with PAM support for Solaris 9 and 10. They've since been updated to version 4.4p1, and are compiled against a static zlib (1.2.3) and OpenSSL (0.9.8c). You can find them here:
http://firewallworks.com/downloads/unsupported/Solaris-sparc/
Regards,
Greg
* http://forum.sun.com/jive/thread.jspa?threadID=103378&tstart=105

Yes, zlib 1.2.3 is a requirement. In facts, zlib mentions a 2005 vulnerability fix but I found no matching patch in sunsolve. See
http://www.kb.cert.org/vuls/id/JGEI-6E7RC3
I have been wandering whether to replace the official zlib. Linking statically is probably a better idea. Thanks

Disable PAM

Hi All,
I need to disable PAM in Solaris,
In Solaris 9 I set parameter "PAMAuthenticationVIAKBD=NO"
in /etc/ssh/sshd_conf file
I could not find this file in Solaris 8, pls suggest how to disable PAM in Solaris 8
Thanks & Regds,
Gattu

Hi mAbrante,
Thanks for your info and help
I could find sshd_config file in solaris 8
In solaris 9 when i disabled PAM by setting "PAMAuthenticationViaKBDInt no" i found that "PasswordAuthentication yes" is not commented
But in solaris 8 "PasswordAuthentication yes" is commented
Do i need to uncomment the above when i disable PAM
Thanks again

Authentification ldap,pam.d on solaris 11

Hi,
I tested ldap authentification on Solaris 11 and I didn't succeed in ssh connection.
I succeed in viewing ldap users (getent passwd) and i modified /etc/pam.d/login other and passwd
with "auth required pam_ldap

Hi,
Try to change the following two files: /etc/pam.d/login and /etc/pam.d/other
Change the line that states:
auth required
pam_unix_auth.so.1
to
auth binding
pam_unix_auth.so.1 server_policy
auth required
pam_ldap.so.1
Did you also checked the attributemapping for the LDAP client?
svccfg -s network/ldap/client setprop config/attribute_map= astring: '("shadow:homeDirectory=unixHomeDirectory" "shadow:description=distinguishedName" "shadow:uid=samaccountname" "shadow:gidnumber=primaryGroupID" "shadow:uidnumber=uidNumber" "shadow:gecos=displayName" "passwd:homeDirectory=unixHomeDirectory" "passwd:description=distinguishedName" "passwd:uid=samaccountname" "passwd:gidnumber=primaryGroupID" "passwd:uidnumber=uidNumber" "passwd:gecos=displayName")'
svccfg -s network/ldap/client setprop config/objectclass_map= astring: '("group:posixGroup=group" "shadow:shadowAccount=person" "shadow:posixAccount=user" "passwd:shadowAccount=person" "passwd:posixAccount=user")'
what does getent passwd username say? Does it return all the necessary fields (uid, gid etc.)?
While configuring the LDAP client to point to our Microsoft AD I use the AD property uidNumber which I manually set to the last part of the objectSID property to keep it unique within the domain.
Kind regards,
Lambert

Kerberos PAM Help!

Hi All-
I'm hoping some of you Sun Kerberos gurus can tell me if my problem can be resolved... Basically I have my test Solaris 10 system set up to authenticate, via PAM, in 3 ways.
First it checks if you have a local account and then let's you in if so.
Second it checks to see if you have a Kerberos account and if so authenticates you using Kerberos (getting a ticket) and uses LDAP account information.
Third, if you have no Kerberos account, it checks your LDAP password and if correct let's you in using your LDAP account info.
Basically I can get things working but the Kerberos PAM module is VERY chatty! If I log in with my LDAP password, pam_krb5 always tells me "Kerberos authentication failed" during dtlogin or ssh login, and then let's me in. But it's very annoying, and will confuse my users.
Example: (logging in using LDAP password):
% ssh weiler@testhost
weiler@testhost's password:
Kerberos authentication failed
Last login: Fri Jun 30 08:33:26 2006 from banshee.cse.ucs
You have mail.
testhost:/home/weiler%
And if I use my Kerberos password it gives me no errors and logs me in. With dtlogin, a pop-up window actually pops up saying the same thing, "Kerberos Authentication Failed" and you have to click the "OK" button and then it logs you in.
I guess my question is: Is there any way to tell Kerberos to be quiet? I don't care if Kerberos authentication fails when people are logging in using LDAP credentials, I just don't want it to keep telling me it failed every time. the "nowarn" flag used with pam_krb5.so.1 in pam.conf doesn't seem to help....
Here's my /etc/pam.conf if it will help:
login auth requisite pam_authtok_get.so.1
login auth required pam_unix_cred.so.1
login auth sufficient pam_unix_auth.so.1
login auth sufficient pam_krb5.so.1
login auth sufficient pam_ldap.so.1
dtsession auth sufficient pam_unix_auth.so.1
dtsession auth sufficient pam_krb5.so.1
dtsession auth sufficient pam_ldap.so.1
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth required pam_unix_auth.so.1
# Kerberized rlogin service
krlogin auth required pam_unix_cred.so.1
krlogin auth binding pam_krb5.so.1
krlogin auth required pam_unix_auth.so.1
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
# Kerberized rsh service
krsh auth required pam_unix_cred.so.1
krsh auth binding pam_krb5.so.1
krsh auth required pam_unix_auth.so.1
# Kerberized telnet service
ktelnet auth required pam_unix_cred.so.1
ktelnet auth binding pam_krb5.so.1
ktelnet auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_unix_cred.so.1
ppp auth required pam_unix_auth.so.1
ppp auth required pam_dial_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
other auth requisite pam_authtok_get.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient pam_krb5.so.1 nowarn
other auth sufficient pam_ldap.so.1
# passwd command (explicit because of a different authentication module)
passwd auth sufficient pam_passwd_auth.so.1
passwd auth sufficient pam_ldap.so.1
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
passwd account sufficient pam_unix_account.so.1
passwd account sufficient pam_ldap.so.1
other account sufficient pam_unix_account.so.1
other account sufficient pam_ldap.so.1
other account sufficient pam_krb5.so.1 nowarn
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session sufficient pam_unix_session.so.1
other session sufficient pam_ldap.so.1
other session sufficient pam_krb5.so.1 nowarn
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
Thanks a million in advance for any insight!
ciao, erich

It turns out that in Solaris 8, the Kerberos installed does not support TCP. By default Kerberos tickets are issued by the KDC via UDP until the packet size reaches a maximum. Once the max is exceeded, the KDC switches to TCP.
Since Solaris 8 Kerberos doesn't support TCP, you get an error executing kinit:
kinit: KRB5 error code 52 while getting initial credentials
So to mitigate, I'm looking at incorporating a version of Kerberos that does support switching to TCP (v1.4.1 or greater I believe).

HT204088 Hi Pam,

Similar Messages

Maybe you are looking for