Sudo + pam + ldap
Hello All
We are in process to migrate to use LDAP.
Right now I have an DSEE6.1 using sasl/digest-md5 as authentication mechanism.
Sudo 1.6.8p12 is installed and was working until I moved all the local users to DS.
When I try to sudo, it ask me three times a password and drop stating that the password is invalid.
But, at same time, I'm able to authenticate using ssh.
Any ideas?
This is still an issue.
Using the same pam.conf from Solaris 8 and 9 into a Solaris 10 does not result in the same behaviour.
I can login into the system but when using sudo i got the following message:
$ sudo su -
Password:
su: unable to set credentialsMy /etc/pam.conf looks like:
ogin auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass debug
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth binding pam_unix_auth.so.1 server_policy
dtlogin auth required pam_ldap.so.1 use_first_pass debug
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1 use_first_pass debug
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1 use_first_pass debug
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth binding pam_unix_auth.so.1 server_policy
dtsession auth required pam_ldap.so.1 debug
other auth requisite pam_authtok_get.so.1 debug
other auth sufficient pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
passwd auth binding pam_passwd_auth.so.1 debug server_policy
passwd auth required pam_ldap.so.1 try_first_pass debug
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account binding pam_unix_account.so.1 server_policy
loign account required pam_ldap.so.1 debug
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account binding pam_unix_account.so.1 server_policy
dtlogin account required pam_ldap.so.1 debug
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1 server_policy
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 debug
ppp session required pam_unix_session.so.1
other session required pam_unix_session.so.1
other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password sufficient pam_authtok_store.so.1 server_policy debug
other password required pam_ldap.so.1 debugAny ideas?
Similar Messages
-
Sudo with LDAP NetGroups Solaris 10
Hi All,
Can some one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
I am using "sudo 1.7.2p6 " right now.
I am able to authenticate using the Netgroups , but not able to using sudo.
Thanks,
DDI have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
Can you provide the following details?
1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
4) Content of /var/ldap/ldap_client_file.
5) Content of /etc/ldap.conf, you should have this file.
6) Sample ldif showing some sudoRole entries in LDAP
7) Can you perform these commands?
ldaplist -l sudoers
ldaplist -l sudoers root
ldaplist -l sudoers some_sudoRole
8) Content of /etc/pam.conf
9) Any other relevant details, like err in /var/adm/messages.
Gary -
[SOLVED] sudo doesnt work
Hi guys,
I'm having the strangest issues since my last installation of archlinux. First I could not login into any tty (after entering the username, nothing happened). I could solve that by installing the util-linux package. Now I cannot use sudo.
The user is in the group wheel (which is uncommented in sudoers). I have changed nothing in the sudoers file, here's the content:
## sudoers file.
## This file MUST be edited with the 'visudo' command as root.
## Failure to use 'visudo' may result in syntax or file permission errors
## that prevent sudo from running.
## See the sudoers man page for the details on how to write a sudoers file.
## Host alias specification
## Groups of machines. These may include host names (optionally with wildcards),
## IP addresses, network numbers or netgroups.
# Host_Alias WEBSERVERS = www1, www2, www3
## User alias specification
## Groups of users. These may consist of user names, uids, Unix groups,
## or netgroups.
# User_Alias ADMINS = millert, dowdy, mikef
## Cmnd alias specification
## Groups of commands. Often used to group related commands together.
# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
# /usr/bin/pkill, /usr/bin/top
## Defaults specification
## You may wish to keep some of the following environment variables
## when running commands via sudo.
## Locale settings
# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
## Run X applications through sudo; HOME is used to find the
## .Xauthority file. Note that other programs use HOME to find
## configuration files and this may lead to privilege escalation!
# Defaults env_keep += "HOME"
## X11 resource path settings
# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
## Desktop path settings
# Defaults env_keep += "QTDIR KDEDIR"
## Allow sudo-run commands to inherit the callers' ConsoleKit session
# Defaults env_keep += "XDG_SESSION_COOKIE"
## Uncomment to enable special input methods. Care should be taken as
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
## Uncomment to enable logging of a command's output, except for
## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!/sbin/reboot !log_output
## Runas alias specification
## User privilege specification
root ALL=(ALL) ALL
## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL) NOPASSWD: ALL
## Uncomment to allow members of group sudo to execute any command
# %sudo ALL=(ALL) ALL
## Uncomment to allow any user to run sudo if they know the password
## of the user they are running the command as (root by default).
# Defaults targetpw # Ask for the password of the target user
# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
## Read drop-in files from /etc/sudoers.d
## (the '#' here does not indicate a comment)
#includedir /etc/sudoers.d
In the auth.log there are following lines which seem to be important:
Jul 12 13:46:18 localhost sudo: PAM _pam_init_handlers: no default config /etc/pam.d/other
Jul 12 13:46:21 localhost sudo: PAM no modules loaded for `sudo' service
Jul 12 13:46:22 localhost sudo: pam_unix(sudo:auth): conversation failed
Jul 12 13:46:22 localhost sudo: pam_unix(sudo:auth): auth could not identify password for [archUser]
Jul 12 13:46:22 localhost sudo: archUser: 1 incorrect password attempt ; TTY=pts/2 ; PWD=/home/archUser; USER=root ; COMMAND=/usr/bin/pacman -Syyuu
So I looked up the content of /etc/pam.d/sudo:
root@arch /etc/pam.d # cat sudo
#%PAM-1.0
auth required pam_unix.so
auth required pam_nologin.so
The files pam_unix.so and pam_nologin.so are both saved in /usr/lib/security.
I noticed that if I enter the password wrong, I need to wait one or two seconds before I can try it again (this behaviour seems to be normal). But when I enter the password correct, there is no waiting time and I can enter the pass again.
I have no idea what to do and hope that anyone can help me to use sudo again.
4 years ago, after installing archlinux the first time, I had not a single error. Everything worked just fine but now I get two errors at once after the installation!
--blackdeagle
Last edited by blackdeagle (2012-07-12 14:05:53)blackdeagle wrote:
65kid wrote:
blackdeagle wrote:Please stay away from my thread! I don't need people like you telling me to search the forums and which parameters I can use and which not!
seriously? it is stated in multiple news, the wiki and in about every third forum thread that you shouldn't use force unless you know exactly what you are doing or you are explicitly told to use it. I don't blame you that you didn't notice this, a lot of people don't (unfortunately). But when people correct you and want to help you are like "whatever, I do what I want! go away!" ???
And what do you think the search function is for?
Please stay away from Arch... geez...
Come on, do you seriously think you are the only one using the search function? Show me some threads with the solution for my issue!
https://bbs.archlinux.org/viewtopic.php?id=143335
https://bbs.archlinux.org/viewtopic.php?id=144079
https://bbs.archlinux.org/viewtopic.php?id=143487
https://bbs.archlinux.org/viewtopic.php?id=142729
https://bbs.archlinux.org/viewtopic.php?id=142720
https://bbs.archlinux.org/viewtopic.php?id=142941
https://bbs.archlinux.org/viewtopic.php?id=144599 -
Able to su from root to ldap accounts but account passwords come back as incorrect otherwise?
Hi,
I've installed DSEE 11.1.1.7.2 and I set up a few test ldap clients, Solaris 10, Solaris 11, and Oracle Linux. From root on any of these boxes I can su to the ldap accounts but if I try to ssh or su - from one test account to another I get a incorrect password.
I also have a test Sun 7.0 Directory Server running and using the same Solaris 10 client I can do a ldapinit to it and authenticate fine with the test accounts. I'm using the same scripts to create accounts and passwords on both versions. I looked through the default password policies between the two and don't see any differences and I'm not getting anything showing up in the logs. Has anyone seen this type of issue before?
ThanksHello,
This post http://serverfault.com/questions/576265/solaris-pam-ldap-authentication-using-sshd-kbdint-and-failing might be useful.
-Sylvain
Please mark the response as helpful or correct when appropriate to make it easier for others to find it -
UNIX pam authentication dosn't work anymore for SGD 4.20-984
In SGD 4.20 the UNIX/PAM/LDAP authentication doesn't work anymore.
After login into tarantella "Invalid Credentials" appears.
SGD is configured to authenticate UNIX users. In UNIX - PAM/LDAP is working properly:
"getent passwd" shows all LDAP users and login with LDAP-Accounts via ssh is possible as well.
Do somebody know what is wrong ?Hi
thanks for the quick answer.
Here the output of "tarantella config list |grep login":
login-ad-base-domain: ""
login-ad-default-domain: ""
login-ad: 0
login-anon: 0
login-ens: 1
login-ldap-url: ldap://ts2ldasv001
login-ldap: 0
login-mapped: 0
login-nt-domain: ""
login-nt: 0
login-securid: 0
login-theme: sco/tta/standard
login-thirdparty-superusers: sgd_trusted_user
login-thirdparty: 0
login-unix-group: 0
login-unix-user: 1
login-web-ens: 0
login-web-ldap-ens: 0
login-web-ldap-profile: 0
login-web-profile: 0
login-web-tokenvalidity: 180
login-web-user: ttaserv
server-login: enabled
We activated just UNIX users authentication.
I also tried pwconv without sucess... -
Fingerprint sudo and su authentication on Thinkpad E430
I have followed the tutorial on the Arch Wiki (https://wiki.archlinux.org/index.php/Fingerprint-gui) to enable fingerprint authentication using the fingerprint-gui, changing the files /etc/pam.d/sudo and /etc/pam.d/su as described.
su is working fine with fingerprint, however when I try to use sudo, first it prompts for a password, like this:
"Password:"
Then if you type anything, it asks for the real password:
"[sudo] password for eric:"
I can't understand why su works fine and sudo does not. My files look like this:
/etc/pam.d/su
#%PAM-1.0
auth sufficient pam_rootok.so
auth sufficient pam_fingerprint-gui.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
/etc/pam.d/sudo
#%PAM-1.0
auth sufficient pam_fingerprint-gui.so
auth required pam_unix.so
auth required pam_nologin.so
Any idea of what could be going on?I am not sure about how it acts with the new versions of sudo. But I wrote that page. The information I pulled from is here:
http://www.n-view.net/Appliance/fingerp … anual.html
I did get it working on my machine, But I noticed that when I would use sudo, it would ask me for a password while simutaneously asking for a swipe. If I chose to use my keyboard, it would kill the fingerprint dialog box, and then ask for my sudo password again. Is this what you are saying that it is doing?
I didn't find a workaround for that because, honestly, I found the fingerprint reader really annoying to use. I guess just having to take my hands off the keyboard to do that just seemed to me like a hassle. I think one spot where it would be pretty good though is for your login manager. Unfortunately, I don't use one of those either....
I think the reason why I put the work into figuring out how to get it to work is because I wanted to see if I could get all the stuff working on my machine. I guess you have probably found my E430 page as well, and I did indeed finally get everything working.
BTW, what kind of wifi card did your machine come with? Does it use the rtl8192ce module? If so, good luck! (I can help you with that if you need) -
Error Message in log when creating DBReporting
Hi Folks,
After executing script (runtetl.bat) to complete P6 Reporting Database next message appears in log (something seems to be wrong in the project)
<04.29.2011 11:53:56> transform [INFO] (Progress) - Processed 20.0% of WBS objects
<04.29.2011 11:54:02> transform [WARN] (Message) - Spread loading thread 2: There was a problem processing a record for the ACTIVITYSPREAD table : NumberFormatException -- For input string: "00 AM"
Object Identifier: ACTIVITYSPREAD Project CXRS Draft (Glenn Counsell) (EU55 - CXRS GC)
Primary Key(s): 19797
<04.29.2011 11:54:02> transform [ERROR] (Message) - Spread loading thread 2: ERROR FOR ACTIVITYSPREAD
java.lang.NumberFormatException: For input string: "00 AM"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
at java.lang.Integer.parseInt(Integer.java:458)
at java.lang.Integer.parseInt(Integer.java:499)
Similar message appears after referring to calendar
<04.29.2011 11:56:24> transform [INFO] (Progress) - Processed 100.0% of PROJECTRESOURCE objects
<04.29.2011 11:56:44> transform [WARN] (Message) - There was a problem processing a record for the CALENDAR table : DAODataAccessFailure -- NumberFormatException -- For input string: "00 AM"
Object Identifier: CALENDAR Standard
Primary Key(s): 8473
<04.29.2011 11:56:44> transform [INFO] (Message) - ERROR FOR CALENDAR
com.primavera.er.stage.dao.BaseDAO$DAODataAccessFailure: NumberFormatException -- For input string: "00 AM"
at com.primavera.er.stage.dao.CalendarDAO.retrieveBusinessObject(Unknown Source)
at com.primavera.er.stage.dao.CalendarDAO.a(Unknown Source)
at com.primavera.er.stage.dao.CalendarDAO.updateVirtualFieldsForFullLoad(Unknown Source)
at com.primavera.er.stage.dao.BaseGlobalContextDAO.updateVirtualFields(Unknown Source)
at com.primavera.er.stage.dao.BaseAPIDAO.updateVirtualFields(Unknown Source)
at com.primavera.er.stage.client.ETLProcess$FullApiETLProcessor.a(Unknown Source)
at com.primavera.er.stage.client.ETLProcess$ETLLoadProcessor$1.run(Unknown Source)
Original Exception:
java.lang.NumberFormatException: For input string: "00 AM"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
at java.lang.Integer.parseInt(Integer.java:458)
at java.lang.Integer.parseInt(Integer.java:499)
at com.primavera.infr.calendar.CalendarUtil.a(CalendarUt
and another one referring a wbs
<04.29.2011 13:39:01> transform [WARN] (Message) - There was a problem processing a record for the ACTIVITY table : DAODataAccessFailure -- NumberFormatException -- For input string: "00 AM"
Object Identifier: ACTIVITY > FDR CXRS port plug components complete in wbs F in project with id 19797
Primary Key(s): 411986
<04.29.2011 13:39:01> transform [INFO] (Message) - ERROR FOR ACTIVITY
com.primavera.er.stage.dao.BaseDAO$DAODataAccessFailure: NumberFormatException -- For input string: "00 AM"
at com.primavera.er.stage.dao.ActivityDAO.retrieveBusinessObject(Unknown Source)
at com.primavera.er.stage.dao.ActivityDAO.retrieveBusinessObject(Unknown Source)
at com.primavera.er.stage.dao.BaseProjectContextDAO.doUpdateVirtualFieldsPerProjectsInErrorRecoveryMode(Unknown Source)
at com.primavera.er.stage.dao.BaseProjectContextDAO.updateVirtualFieldsPerProject(Unknown Source)
at com.primavera.er.stage.dao.BaseProjectContextDAO.updateVirtualFields(Unknown Source)
at com.primavera.er.stage.dao.BaseAPIDAO.updateVirtualFields(Unknown Source)
at com.primavera.er.stage.client.ETLProcess$FullApiETLProcessor.a(Unknown Source)
at com.primavera.er.stage.client.ETLProcess$ETLLoadProcessor$1.run(Unknown Source)
Original Exception:
java.lang.NumberFormatException: For input string: "00 AM"
at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
at java.lang.Integer.parseInt(Integer.java:458)
at java.lang.Integer.parseInt(Integer.java:499)
at com.primavera.infr.calendar.CalendarUtil.a(CalendarUtil.java:1686)
at com.primavera.infr.calendar.CalendarUtil.parseCalendarData(CalendarUtil.java:1605)
at com.primavera.bo.rules.calc.BOCalendarCE.a(BOCalendarCE.java:164)
at com.primavera.bo.rules.calc.BOCalendarCE.calc_DailyWorkTime(BOCalendarCE.java:58)
Fortunately these errors does not interrupt ETL processes but do you have any idea about how to fix them?Hi
Is the Server Standalone? If so run this command
sudo changeip - 10.31.3.135 10.31.3.135 KNWS3135 KNWS3135.ad.ewsad.net
enter the password when prompted and restart the server.
If the Server is an Open Directory Master issue this command:
sudo changeip /LDAP/127.0.0.1 10.31.3.135 10.31.3.135 KNWS3135 KNWS3135.ad.ewsad.net
enter the password when prompted and restart the server.
Before you do this can I ask if the DNS Service is being provided by an Active Directory Domain Controller? In other words a Windows Server. If it is and the Windows System Admin has created a DNS entry for your server then make sure there is a Reverse Pointer entry for your server. Make sure the Windows System Admin uses the KNWS3135.ad.esad.net as the FQDN (fully qualified domain name). Enter the AD Server’s IP address as the Primary IP Address in the DNS Server Field on your server and then issue this command:
host KNWS3135.ad.ewsad.net
You should see something like this:
KNWS3135.ad.ewsad.net has address 10.31.3.135
follow this with:
host 10.31.3.135
You should see something like this:
135.3.31.10.in-addr.arpa domain name pointer KNWS3135.ad.ewsad.net.
If you are seeing this after you have made sure the Windows System Admin has created the relevant PTR entry for your server then issue the changeip command again:
sudo changeip -checkhostname
This time it should report 'the names match there is nothing to change'
Hope this helps, Tony -
Sol9 X86 copy mini root / nothing happens
Hi there,
I install Sol9 X86 on Dual-Xeon. Solaris 8 worked fine. That happened:
Copying mini-root to local disk.# \
First I "hear" that there will something be copyied to disk, but than the slash rotates and nothing more happens.
Any idea or experience?
HeikoHi J.,
You are right. I would say ... this is really buggy. Sure, with Disk 2 I can install the system. But now, it doesn't boot anymoore. Now the /etc/bootrc won't be found. First I thought there was something wrong with the devices. But the devices seems to be ok. I can install Solaris 8 without any problems even from the installation disk.
I paid 20$ for the download. I can't accept that I can't change the OS to a new release. I don't need functionality like browsing web, or some unnecessary playground. I need a system that I can install without compiling a kernel. I don't want to think about hardware problems. I also plan to buy the workgroup licenses.
Maybe you will ask, why I use X86? I have 6 powerfull Xeonsystems. I want to use the new pam-ldap modules.
I think about, if it is my job to check the startinstall and dependent scripts or what is going wrong inside the installation.
So, what should I do? In one weak I have to present the new company infrastructur. Should I kick Solaris?
I am really disappointed and angry (not to you, but on the product).
Do you have an idea?
I will post this also in a single thread.
Thanks for your help.
Heiko -
Parallize user creation/update
I'm managing an IDM installation where I have a resource group of about 30 servers (and counting) and whenever I need ot create a new user on all of these or simply update a user, it takes forever to finish. It seems that IDM don't take advantage of an obvious chance of parallizing this task and instead sequentially logs on to server 1, makes the update, then logs in to server 2, makes update and so on...
With our 30 servers an update (or simply status on where a user has accounts) sometimes takes over 2 minutes. Many of the updates are run using shellscript adapters as there doesn't exist native adapters for these OS's (linux and freebsd) and these shelladapters seem to run slower than standard java adapters.
Is there something that can be done to make IDM work in parallel and not in seriel? (IDM 7)Hej Thomas,
there are three things that come to my mind reading your question:
1) In the waveset.properties there is a setting provisioner.maxThreads increasing this might increase the parallel handling of accounts for you. I say might because I assume that quite a few settings in the waveset.properties don't do anything at all and remain in there for legacy reasons.
2) If you are dealing with an environment where people tend to have dozens or hundreds of accounts of a similar type(a project about Unix admins or programmers) the right answer might be to point out things like PAM LDAP.
3) If the IDM solution has to fetch 100 accounts from 100 servers deployed from azerbaijan to zimbabwe this can not be done online within reasonable time. You need to think about a way of automating this with scripts deployed on the servers.
Regards,
Patrick -
Solatis 10 + pam + DSEE6.1 + su/sudo
Hello All
We are deploying a new LDAP infrastructure and I have been struggling with Sun JES DSEE6.1/6.0 for the last months. After a long battle, I have Solaris 8 and 9 boxes authenticating against an LDAP server. Solaris 10 is partially working with LDAP but I have a very strange behavior.
The same pam.conf is in use in all three servers but Solaris 10 is presenting the following problem:
[SunOS 5.10/bash] p661210@wgls01:/export/home/p661210
$ sudo su -
Password:
su: unable to set credentials
[SunOS 5.10/bash] p661210@wgls01:/export/home/p661210
$ su -
Password:
su: Sorry
[SunOS 5.10/bash] p661210@wgls01:/export/home/p661210
$ su -
Password:
su: Sorrythe same pam.conf (below) is in use for all servers and only Solaris 10 is with problems:
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass debug
dtlogin auth requisite pam_authtok_get.so.1
dtlogin auth required pam_dhkeys.so.1
dtlogin auth binding pam_unix_auth.so.1 server_policy
dtlogin auth required pam_ldap.so.1 use_first_pass debug
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth binding pam_unix_auth.so.1 server_policy
rsh auth required pam_ldap.so.1 use_first_pass debug
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_dial_auth.so.1
ppp auth required pam_ldap.so.1 use_first_pass debug
dtsession auth requisite pam_authtok_get.so.1
dtsession auth required pam_dhkeys.so.1
dtsession auth binding pam_unix_auth.so.1 server_policy
dtsession auth required pam_ldap.so.1 debug
other auth requisite pam_authtok_get.so.1 debug
other auth sufficient pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
passwd auth binding pam_passwd_auth.so.1 debug server_policy
passwd auth required pam_ldap.so.1 try_first_pass debug
login account requisite pam_roles.so.1
login account required pam_projects.so.1
login account binding pam_unix_account.so.1 server_policy
loign account required pam_ldap.so.1 debug
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
dtlogin account requisite pam_roles.so.1
dtlogin account required pam_projects.so.1
dtlogin account binding pam_unix_account.so.1 server_policy
dtlogin account required pam_ldap.so.1 debug
ppp account requisite pam_roles.so.1
ppp account required pam_projects.so.1
ppp account required pam_unix_account.so.1 server_policy
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1 debug
ppp session required pam_unix_session.so.1
other session required pam_unix_session.so.1
other session required pam_mkhomedir.so.1 skel=/etc/skel umask=0022
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password sufficient pam_authtok_store.so.1 server_policy debug
other password required pam_ldap.so.1 debugAny ideas?Problem fixed.
Solaris 10 requires a different pam.conf. For every entry with
login auth binding pam_unix_auth.so.1 server_policyit is necessary to replace by
login auth binding pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policyPS: The "login" needs to be replaced by the correct service name
Andreas -
Pam.conf does not use ldap for password length check when changing passwd
I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
I have dsee 6.0 installed on a solaris 10 server (client).
I have a solaris 9 server (server) set up to use ldap authentication.
bash-2.05# cat /var/ldap/ldap_client_file
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= X, Y
NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
NS_LDAP_BIND_TIME= 10
bash-2.05# cat /var/ldap/ldap_client_cred
# Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
bash-2.05# cat /etc/nsswitch.conf
# /etc/nsswitch.ldap:
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files dns
ipnodes: files
# Uncomment the following line and comment out the above to resolve
# both IPv4 and IPv6 addresses from the ipnodes databases. Note that
# IPv4 addresses are searched in all of the ipnodes databases before
# searching the hosts databases. Before turning this option on, consult
# the Network Administration Guide for more details on using IPv6.
#ipnodes: ldap [NOTFOUND=return] files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: ldap
automount: files ldap
aliases: files ldap
# for efficient getservbyname() avoid ldap
services: files ldap
sendmailvars: files
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap
bash-2.05# cat /etc/pam.conf
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# PAM configuration
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
# Authentication management
# login service (explicit because of pam_dial_auth)
login auth requisite pam_authtok_get.so.1 debug
login auth required pam_dhkeys.so.1 debug
login auth required pam_dial_auth.so.1 debug
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
# rlogin service (explicit because of pam_rhost_auth)
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_auth.so.1
# PPP service (explicit because of pam_dial_auth)
ppp auth requisite pam_authtok_get.so.1
ppp auth required pam_dhkeys.so.1
ppp auth required pam_dial_auth.so.1
ppp auth binding pam_unix_auth.so.1 server_policy
ppp auth required pam_ldap.so.1 use_first_pass
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authenctication
other auth requisite pam_authtok_get.so.1 debug
other auth required pam_dhkeys.so.1 debug
other auth binding pam_unix_auth.so.1 server_policy debug
other auth required pam_ldap.so.1 use_first_pass debug
# passwd command (explicit because of a different authentication module)
passwd auth binding pam_passwd_auth.so.1 server_policy debug
passwd auth required pam_ldap.so.1 use_first_pass debug
# cron service (explicit because of non-usage of pam_roles.so.1)
cron account required pam_projects.so.1
cron account required pam_unix_account.so.1
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
other account requisite pam_roles.so.1 debug
other account required pam_projects.so.1 debug
other account binding pam_unix_account.so.1 server_policy debug
other account required pam_ldap.so.1 no_pass debug
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
other session required pam_unix_session.so.1
# Default definition for Password management
# Used when service name is not explicitly mentioned for password management
other password required pam_dhkeys.so.1 debug
other password requisite pam_authtok_get.so.1 debug
other password requisite pam_authtok_check.so.1 debug
other password required pam_authtok_store.so.1 server_policy debug
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#rlogin auth optional pam_krb5.so.1 try_first_pass
#login auth optional pam_krb5.so.1 try_first_pass
#other auth optional pam_krb5.so.1 try_first_pass
#cron account optional pam_krb5.so.1
#other account optional pam_krb5.so.1
#other session optional pam_krb5.so.1
#other password optional pam_krb5.so.1 try_first_pass
I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
bash-2.05$ passwd
passwd: Changing password for VV
Enter existing login password:
New Password:
passwd: Password too short - must be at least 8 characters.
Please try again
May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
I am using the default policy on the directory server which states a minimum password length of 6 characters.
server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
pwd-accept-hashed-pwd-enabled : N/A
pwd-check-enabled : off
pwd-compat-mode : DS6-mode
pwd-expire-no-warning-enabled : on
pwd-expire-warning-delay : 1d
pwd-failure-count-interval : 10m
pwd-grace-login-limit : disabled
pwd-keep-last-auth-time-enabled : off
pwd-lockout-duration : disabled
pwd-lockout-enabled : off
pwd-lockout-repl-priority-enabled : on
pwd-max-age : disabled
pwd-max-failure-count : 3
pwd-max-history-count : disabled
pwd-min-age : disabled
pwd-min-length : 6
pwd-mod-gen-length : 6
pwd-must-change-enabled : off
pwd-root-dn-bypass-enabled : off
pwd-safe-modify-enabled : off
pwd-storage-scheme : CRYPT
pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
pwd-strong-check-enabled : off
pwd-strong-check-require-charset : lower
pwd-strong-check-require-charset : upper
pwd-strong-check-require-charset : digit
pwd-strong-check-require-charset : special
pwd-supported-storage-scheme : CRYPT
pwd-supported-storage-scheme : SHA
pwd-supported-storage-scheme : SSHA
pwd-supported-storage-scheme : NS-MTA-MD5
pwd-supported-storage-scheme : CLEAR
pwd-user-change-enabled : off
Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
. It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
Edited by: ericduggan on Sep 8, 2008 5:30 AMyou can try passwd -r ldap for changing the ldap passwds...
-
Authentification ldap,pam.d on solaris 11
Hi,
I tested ldap authentification on Solaris 11 and I didn't succeed in ssh connection.
I succeed in viewing ldap users (getent passwd) and i modified /etc/pam.d/login other and passwd
with "auth required pam_ldapHi,
Try to change the following two files: /etc/pam.d/login and /etc/pam.d/other
Change the line that states:
auth required
pam_unix_auth.so.1
to
auth binding
pam_unix_auth.so.1 server_policy
auth required
pam_ldap.so.1
Did you also checked the attributemapping for the LDAP client?
svccfg -s network/ldap/client setprop config/attribute_map= astring: '("shadow:homeDirectory=unixHomeDirectory" "shadow:description=distinguishedName" "shadow:uid=samaccountname" "shadow:gidnumber=primaryGroupID" "shadow:uidnumber=uidNumber" "shadow:gecos=displayName" "passwd:homeDirectory=unixHomeDirectory" "passwd:description=distinguishedName" "passwd:uid=samaccountname" "passwd:gidnumber=primaryGroupID" "passwd:uidnumber=uidNumber" "passwd:gecos=displayName")'
svccfg -s network/ldap/client setprop config/objectclass_map= astring: '("group:posixGroup=group" "shadow:shadowAccount=person" "shadow:posixAccount=user" "passwd:shadowAccount=person" "passwd:posixAccount=user")'
what does getent passwd username say? Does it return all the necessary fields (uid, gid etc.)?
While configuring the LDAP client to point to our Microsoft AD I use the AD property uidNumber which I manually set to the last part of the objectSID property to keep it unique within the domain.
Kind regards,
Lambert -
Hi
I'm trying to get ssh working with ldap clients on solaris 10. I have managed to configure the client so I can query the DS using ldaplist -l passwd and group, but now i'm scratching my head a little with the ssh/pam.conf side of things.
The goal is to have *NP in the password field for all users and use ssh-agents for authentication. User account info and rbac data is held in ldap. SSH-ing into a host configured as an ldap client gets me thus far, from the sshd output on the host i'm connecting to:
Found matching DSA key: 21:98:d1:9d:dd:d4:72:9d:c2:a5:20:40:16:27:4c:a9
debug1: restore_uid: 0/0
debug1: ssh_dss_verify: signature correct
debug2: Starting PAM service sshd-pubkey for method publickey
debug3: Trying to reverse map address 10.3.52.128.
debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
Failed publickey for asilc from 10.3.52.128 port 1966 ssh2
debug1: userauth-request for user asilc service ssh-connection method keyboard-interactive
debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devsFailed keyboard-interactive for user from 10.3.52.128 port 2109 ssh2
Received disconnect from 10.3.52.128: 14: No supported authentication methods available
Then i'm kicked out as there's nothing left to do. It looks as if the key is accepted but I think then something in my pam stack is kicking me out.
The debug for PAM gives me:
Jun 8 11:11:21 donatello sshd[5653]: [ID 206471 auth.debug] PAM[5653]: pam_acct_mgmt(80cbfa0, 0): error No account present for user
Jun 8 11:11:21 donatello sshd[5653]: [ID 737214 auth.debug] PAM[5653]: pam_set_item(80cbfa0:authtok)
Jun 8 11:11:26 donatello sshd[5653]: [ID 737214 auth.debug] PAM[5653]: pam_set_item(80cbfa0:conv)
Jun 8 11:11:26 donatello sshd[5653]: [ID 159459 auth.debug] PAM[5653]: pam_end(80cbfa0): status = No account present for user
the ssh lines in my pam.conf:
sshd account binding pam_ldap.so.1 debug
sshd password sufficient pam_ldap.so.1 debug
Lines in sshd_config:
PasswordAuthentication no
PermitEmptyPasswords no
PAMAuthenticationViaKBDInt no
Can anyone help point me in the right direction?Do you see anything in your directory server access log ? If not, there's probably something wrong on the sshd host .
Do you have the latest available patches for pam_ldap ?
Are you sure of your pam stack configuration (check this: http://download.oracle.com/docs/cd/E18752_01/html/816-4556/schemas-111.html) -
Using PAM for LDAP authentication
Good Day All,
I want to know how I can use PAM to enable users authenticate to my Solaris 9 Box using an existing LDAP server.I would appreciate if the explanation is simpler and more detailed as I am new to this stuff.Also is there any othe means like an open source solution so that users can use a centrailzed authentication server so that users gain access to a solaris box without going for a local /etc/passwd and /etc/shadow files.It depends on what LDAP Server you used.
The steps are more than just the pam_ldap configuration.
You may find the following how-to useful or not at all.
http://web.singnet.com.sg/~garyttt/
HTH
Gary -
Help with extending schema for redhat ldap sudo integration.
Hi all,
I've done LDAP administration for a few years, but I'm new to Directory server and I'm a bit stuck. I want to apply a custom schema and allow sudoers in our CentOs (Redhat) Linux servers. They're authenticating correctly, but I can't get sudoers to work. I've followed this documentation to update my schema.
http://kbase.redhat.com/faq/docs/DOC-2057
I'm having issues with the step that creates the SUDOers group as the following.
dn: ou=SUDOers,dc=example,dc=com
objectClass: top
objectClass: organizationalUnit
ou: SUDOers
I want to make administration easy via the Workgroup manager so I don't have to manually add users to this group via ldif files. When I create a sudoers group via the workgroup manager, I get this dn
cn=sudoers,cn=groups,dc=spidertracks,dc=local
As you can see, it's a cn, not an ou. Furthermore, how do I get the defaults in the sudoer's group so that redhat recognizes the setup, but users can be assigned via the workgroup manager?
Thanks,
ToddAnyways , I've created an LDIF for Active Directory with theses attributes and class objects.
Don't really know if this is needed inside AD or not.
If anyone wants these LDIFs for some reason, drop me a line. Keep in mind that they are a work in progress, so, if you find anything you dont like and would like to change it, please do let me know so I can update my versions aswell.
If anyone got any idea regarding the last questions I posted, please do let me know aswell
Rp
Maybe you are looking for
-
Export Quicktime = stalling / frame rate / dropped frames
Firstly this issue isn't news. It appears it has existed since 2002 at least on these forums and Apple has done nothing. Exporting to Quicktime: 1) Keynote makes up what seem to be consistent random frame rates on export - Codec doesn't matter. Photo
-
For example access eBay with Firefox and launch a search on the word Frankenstein: you'll get something like 23,671 results (if you search in ''All categories''). Then quit the Firefox browser and load Microsoft Internet Explorer instead; access eBay
-
Return Key no longer works in sql windows or procedure editors.
The <return> key no longer works in my SqlDeveloper editors. Is there an easy fix? I tried resetting the Option for the carriage return but it did not change anything.
-
Problem after downloading OS 6
I am having a white screen in my iphone 3gs after downloading OS 6 what to do ?? i reseted and restarted my phone wat should i do ???
-
BETWEEN operator or = and =
From a performance point of view, Which is better? BETWEEN operator or >= and <= . And why?