Sudo + pam + ldap

Similar Messages

• Sudo with LDAP NetGroups Solaris 10

  Hi All,
  Can some  one describe me the steps to configure sudoers to work with LDAP NetGroups Solaris 10 ?
  I am using  "sudo  1.7.2p6 " right now.
  I am able to authenticate using  the Netgroups , but not able to using sudo.
  Thanks,
  DD

  I have recently tested sudo 1.6.8p8 to be working with flat files /etc/sudoers or LDAP sudo maps, together with netgroup and automount, on a Solaris Native LDAP Client against DS5.2 server.
  I assume you use Solaris8/9 Native LDAP Client, and assume netgroup LDAP maps have been working without sudo.
  I read your other post about sudo and ldap, I think you did not configure and build "sudo" with "--with-pam", right?
  Can you provide the following details?
  1) First 10 lines of "sudo -V", i.e. "sudo -V | head".
  2) How do you configure "sudo" on the LDAP Client? i.e. ./configure options.
  3) Did you use an old gcc version eg: Solaris9 built-in gcc 3.1, to compile sudo?
  4) Content of /var/ldap/ldap_client_file.
  5) Content of /etc/ldap.conf, you should have this file.
  6) Sample ldif showing some sudoRole entries in LDAP
  7) Can you perform these commands?
  ldaplist -l sudoers
  ldaplist -l sudoers root
  ldaplist -l sudoers some_sudoRole
  8) Content of /etc/pam.conf
  9) Any other relevant details, like err in /var/adm/messages.
  Gary

• [SOLVED] sudo doesnt work

  Hi guys,
  I'm having the strangest issues since my last installation of archlinux. First I could not login into any tty (after entering the username, nothing happened). I could solve that by installing the util-linux package. Now I cannot use sudo.
  The user is in the group wheel (which is uncommented in sudoers). I have changed nothing in the sudoers file, here's the content:
  ## sudoers file.
  ## This file MUST be edited with the 'visudo' command as root.
  ## Failure to use 'visudo' may result in syntax or file permission errors
  ## that prevent sudo from running.
  ## See the sudoers man page for the details on how to write a sudoers file.
  ## Host alias specification
  ## Groups of machines. These may include host names (optionally with wildcards),
  ## IP addresses, network numbers or netgroups.
  # Host_Alias WEBSERVERS = www1, www2, www3
  ## User alias specification
  ## Groups of users. These may consist of user names, uids, Unix groups,
  ## or netgroups.
  # User_Alias ADMINS = millert, dowdy, mikef
  ## Cmnd alias specification
  ## Groups of commands. Often used to group related commands together.
  # Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \
  # /usr/bin/pkill, /usr/bin/top
  ## Defaults specification
  ## You may wish to keep some of the following environment variables
  ## when running commands via sudo.
  ## Locale settings
  # Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
  ## Run X applications through sudo; HOME is used to find the
  ## .Xauthority file. Note that other programs use HOME to find
  ## configuration files and this may lead to privilege escalation!
  # Defaults env_keep += "HOME"
  ## X11 resource path settings
  # Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
  ## Desktop path settings
  # Defaults env_keep += "QTDIR KDEDIR"
  ## Allow sudo-run commands to inherit the callers' ConsoleKit session
  # Defaults env_keep += "XDG_SESSION_COOKIE"
  ## Uncomment to enable special input methods. Care should be taken as
  ## this may allow users to subvert the command being run via sudo.
  # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
  ## Uncomment to enable logging of a command's output, except for
  ## sudoreplay and reboot. Use sudoreplay to play back logged sessions.
  # Defaults log_output
  # Defaults!/usr/bin/sudoreplay !log_output
  # Defaults!/usr/local/bin/sudoreplay !log_output
  # Defaults!/sbin/reboot !log_output
  ## Runas alias specification
  ## User privilege specification
  root ALL=(ALL) ALL
  ## Uncomment to allow members of group wheel to execute any command
  %wheel ALL=(ALL) ALL
  ## Same thing without a password
  # %wheel ALL=(ALL) NOPASSWD: ALL
  ## Uncomment to allow members of group sudo to execute any command
  # %sudo ALL=(ALL) ALL
  ## Uncomment to allow any user to run sudo if they know the password
  ## of the user they are running the command as (root by default).
  # Defaults targetpw # Ask for the password of the target user
  # ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
  ## Read drop-in files from /etc/sudoers.d
  ## (the '#' here does not indicate a comment)
  #includedir /etc/sudoers.d
  In the auth.log there are following lines which seem to be important:
  Jul 12 13:46:18 localhost sudo: PAM _pam_init_handlers: no default config /etc/pam.d/other
  Jul 12 13:46:21 localhost sudo: PAM no modules loaded for `sudo' service
  Jul 12 13:46:22 localhost sudo: pam_unix(sudo:auth): conversation failed
  Jul 12 13:46:22 localhost sudo: pam_unix(sudo:auth): auth could not identify password for [archUser]
  Jul 12 13:46:22 localhost sudo: archUser: 1 incorrect password attempt ; TTY=pts/2 ; PWD=/home/archUser; USER=root ; COMMAND=/usr/bin/pacman -Syyuu
  So I looked up the content of /etc/pam.d/sudo:
  root@arch /etc/pam.d # cat sudo
  #%PAM-1.0
  auth required pam_unix.so
  auth required pam_nologin.so
  The files pam_unix.so and pam_nologin.so are both saved in /usr/lib/security.
  I noticed that if I enter the password wrong, I need to wait one or two seconds before I can try it again (this behaviour seems to be normal). But when I enter the password correct, there is no waiting time and I can enter the pass again.
  I have no idea what to do and hope that anyone can help me to use sudo again.
  4 years ago, after installing archlinux the first time, I had not a single error. Everything worked just fine but now I get two errors at once after the installation!
  --blackdeagle
  Last edited by blackdeagle (2012-07-12 14:05:53)

  blackdeagle wrote:
  65kid wrote:
  blackdeagle wrote:Please stay away from my thread! I don't need people like you telling me to search the forums and which parameters I can use and which not!
  seriously? it is stated in multiple news, the wiki and in about every third forum thread that you shouldn't use force unless you know exactly what you are doing or you are explicitly told to use it. I don't blame you that you didn't notice this, a lot of people don't (unfortunately). But when people correct you and want to help you are like "whatever, I do what I want! go away!" ???
  And what do you think the search function is for?
  Please stay away from Arch... geez...
  Come on, do you seriously think you are the only one using the search function? Show me some threads with the solution for my issue!
  https://bbs.archlinux.org/viewtopic.php?id=143335
  https://bbs.archlinux.org/viewtopic.php?id=144079
  https://bbs.archlinux.org/viewtopic.php?id=143487
  https://bbs.archlinux.org/viewtopic.php?id=142729
  https://bbs.archlinux.org/viewtopic.php?id=142720
  https://bbs.archlinux.org/viewtopic.php?id=142941
  https://bbs.archlinux.org/viewtopic.php?id=144599

• Able to su from root to ldap accounts but account passwords come back as incorrect otherwise?

  Hi,
  I've installed DSEE 11.1.1.7.2 and I set up a few test ldap clients, Solaris 10, Solaris 11, and Oracle Linux. From root on any of these boxes I can su to the ldap accounts but if I try to ssh or su - from one test account to another I get a incorrect password.
  I also have a test Sun 7.0 Directory Server running and using the same Solaris 10 client I can do a ldapinit to it and authenticate fine with the test accounts. I'm using the same scripts to create accounts and passwords on both versions. I looked through the default password policies between the two and don't see any differences and I'm not getting anything showing up in the logs. Has anyone seen this type of issue before?
  Thanks

  Hello,
  This post http://serverfault.com/questions/576265/solaris-pam-ldap-authentication-using-sshd-kbdint-and-failing might be useful.
  -Sylvain
  Please mark the response as helpful or correct when appropriate to make it easier for others to find it

• UNIX pam authentication dosn't work anymore for SGD 4.20-984

  In SGD 4.20 the UNIX/PAM/LDAP authentication doesn't work anymore.
  After login into tarantella "Invalid Credentials" appears.
  SGD is configured to authenticate UNIX users. In UNIX - PAM/LDAP is working properly:
  "getent passwd" shows all LDAP users and login with LDAP-Accounts via ssh is possible as well.
  Do somebody know what is wrong ?

  Hi
  thanks for the quick answer.
  Here the output of "tarantella config list |grep login":
  login-ad-base-domain: ""
  login-ad-default-domain: ""
  login-ad: 0
  login-anon: 0
  login-ens: 1
  login-ldap-url: ldap://ts2ldasv001
  login-ldap: 0
  login-mapped: 0
  login-nt-domain: ""
  login-nt: 0
  login-securid: 0
  login-theme: sco/tta/standard
  login-thirdparty-superusers: sgd_trusted_user
  login-thirdparty: 0
  login-unix-group: 0
  login-unix-user: 1
  login-web-ens: 0
  login-web-ldap-ens: 0
  login-web-ldap-profile: 0
  login-web-profile: 0
  login-web-tokenvalidity: 180
  login-web-user: ttaserv
  server-login: enabled
  We activated just UNIX users authentication.
  I also tried pwconv without sucess...

• Fingerprint sudo and su authentication on Thinkpad E430

  I have followed the tutorial on the Arch Wiki (https://wiki.archlinux.org/index.php/Fingerprint-gui) to enable fingerprint authentication using the fingerprint-gui, changing the files /etc/pam.d/sudo and /etc/pam.d/su as described.
  su is working fine with fingerprint, however when I try to use sudo, first it prompts for a password, like this:
  "Password:"
  Then if you type anything, it asks for the real password:
  "[sudo] password for eric:"
  I can't understand why su works fine and sudo does not. My files look like this:
  /etc/pam.d/su
  #%PAM-1.0
  auth            sufficient      pam_rootok.so
  auth            sufficient      pam_fingerprint-gui.so
  # Uncomment the following line to implicitly trust users in the "wheel" group.
  #auth           sufficient      pam_wheel.so trust use_uid
  # Uncomment the following line to require a user to be in the "wheel" group.
  #auth           required        pam_wheel.so use_uid
  auth            required        pam_unix.so
  account         required        pam_unix.so
  session         required        pam_unix.so
  /etc/pam.d/sudo
  #%PAM-1.0
  auth            sufficient      pam_fingerprint-gui.so
  auth            required        pam_unix.so
  auth            required        pam_nologin.so
  Any idea of what could be going on?

  I am not sure about how it acts with the new versions of sudo.  But I wrote that page.  The information I pulled from is here:
  http://www.n-view.net/Appliance/fingerp … anual.html
  I did get it working on my machine,  But I noticed that when I would use sudo, it would ask me for a password while simutaneously asking for a swipe.  If I chose to use my keyboard, it would kill the fingerprint dialog box, and then ask for my sudo password again.  Is this what you are saying that it is doing? 
  I didn't find a workaround for that because, honestly, I found the fingerprint reader really annoying to use.  I guess just having to take my hands off the keyboard to do that just seemed to me like a hassle.  I think one spot where it would be pretty good though is for your login manager.  Unfortunately, I don't use one of those either....
  I think the reason why I put the work into figuring out how to get it to work is because I wanted to see if I could get all the stuff working on my machine.  I guess you have probably found my E430 page as well, and I did indeed finally get everything working.
  BTW, what kind of wifi card did your machine come with?  Does it use the rtl8192ce module?  If so, good luck!  (I can help you with that if you need)

• Error Message in log when creating DBReporting

  Hi Folks,
  After executing script (runtetl.bat) to complete P6 Reporting Database next message appears in log (something seems to be wrong in the project)
  <04.29.2011 11:53:56> transform [INFO] (Progress) - Processed     20.0% of WBS objects
  <04.29.2011 11:54:02> transform [WARN] (Message) - Spread loading thread 2: There was a problem processing a record for the ACTIVITYSPREAD table : NumberFormatException -- For input string: "00 AM"
  Object Identifier: ACTIVITYSPREAD Project CXRS Draft (Glenn Counsell) (EU55 - CXRS GC)
  Primary Key(s): 19797
  <04.29.2011 11:54:02> transform [ERROR] (Message) - Spread loading thread 2: ERROR FOR ACTIVITYSPREAD
  java.lang.NumberFormatException: For input string: "00 AM"
       at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
       at java.lang.Integer.parseInt(Integer.java:458)
       at java.lang.Integer.parseInt(Integer.java:499)
  Similar message appears after referring to calendar
  <04.29.2011 11:56:24> transform [INFO] (Progress) - Processed     100.0% of PROJECTRESOURCE objects
  <04.29.2011 11:56:44> transform [WARN] (Message) - There was a problem processing a record for the CALENDAR table : DAODataAccessFailure -- NumberFormatException -- For input string: "00 AM"
  Object Identifier: CALENDAR Standard
  Primary Key(s): 8473
  <04.29.2011 11:56:44> transform [INFO] (Message) - ERROR FOR CALENDAR
  com.primavera.er.stage.dao.BaseDAO$DAODataAccessFailure: NumberFormatException -- For input string: "00 AM"
       at com.primavera.er.stage.dao.CalendarDAO.retrieveBusinessObject(Unknown Source)
       at com.primavera.er.stage.dao.CalendarDAO.a(Unknown Source)
       at com.primavera.er.stage.dao.CalendarDAO.updateVirtualFieldsForFullLoad(Unknown Source)
       at com.primavera.er.stage.dao.BaseGlobalContextDAO.updateVirtualFields(Unknown Source)
       at com.primavera.er.stage.dao.BaseAPIDAO.updateVirtualFields(Unknown Source)
       at com.primavera.er.stage.client.ETLProcess$FullApiETLProcessor.a(Unknown Source)
       at com.primavera.er.stage.client.ETLProcess$ETLLoadProcessor$1.run(Unknown Source)
  Original Exception:
  java.lang.NumberFormatException: For input string: "00 AM"
       at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
       at java.lang.Integer.parseInt(Integer.java:458)
       at java.lang.Integer.parseInt(Integer.java:499)
       at com.primavera.infr.calendar.CalendarUtil.a(CalendarUt
  and another one referring a wbs
  <04.29.2011 13:39:01> transform [WARN] (Message) - There was a problem processing a record for the ACTIVITY table : DAODataAccessFailure -- NumberFormatException -- For input string: "00 AM"
  Object Identifier: ACTIVITY > FDR CXRS port plug components complete in wbs F in project with id 19797
  Primary Key(s): 411986
  <04.29.2011 13:39:01> transform [INFO] (Message) - ERROR FOR ACTIVITY
  com.primavera.er.stage.dao.BaseDAO$DAODataAccessFailure: NumberFormatException -- For input string: "00 AM"
       at com.primavera.er.stage.dao.ActivityDAO.retrieveBusinessObject(Unknown Source)
       at com.primavera.er.stage.dao.ActivityDAO.retrieveBusinessObject(Unknown Source)
       at com.primavera.er.stage.dao.BaseProjectContextDAO.doUpdateVirtualFieldsPerProjectsInErrorRecoveryMode(Unknown Source)
       at com.primavera.er.stage.dao.BaseProjectContextDAO.updateVirtualFieldsPerProject(Unknown Source)
       at com.primavera.er.stage.dao.BaseProjectContextDAO.updateVirtualFields(Unknown Source)
       at com.primavera.er.stage.dao.BaseAPIDAO.updateVirtualFields(Unknown Source)
       at com.primavera.er.stage.client.ETLProcess$FullApiETLProcessor.a(Unknown Source)
       at com.primavera.er.stage.client.ETLProcess$ETLLoadProcessor$1.run(Unknown Source)
  Original Exception:
  java.lang.NumberFormatException: For input string: "00 AM"
       at java.lang.NumberFormatException.forInputString(NumberFormatException.java:48)
       at java.lang.Integer.parseInt(Integer.java:458)
       at java.lang.Integer.parseInt(Integer.java:499)
       at com.primavera.infr.calendar.CalendarUtil.a(CalendarUtil.java:1686)
       at com.primavera.infr.calendar.CalendarUtil.parseCalendarData(CalendarUtil.java:1605)
       at com.primavera.bo.rules.calc.BOCalendarCE.a(BOCalendarCE.java:164)
       at com.primavera.bo.rules.calc.BOCalendarCE.calc_DailyWorkTime(BOCalendarCE.java:58)
  Fortunately these errors does not interrupt ETL processes but do you have any idea about how to fix them?

  Hi
  Is the Server Standalone? If so run this command
  sudo changeip - 10.31.3.135 10.31.3.135 KNWS3135 KNWS3135.ad.ewsad.net
  enter the password when prompted and restart the server.
  If the Server is an Open Directory Master issue this command:
  sudo changeip /LDAP/127.0.0.1 10.31.3.135 10.31.3.135 KNWS3135 KNWS3135.ad.ewsad.net
  enter the password when prompted and restart the server.
  Before you do this can I ask if the DNS Service is being provided by an Active Directory Domain Controller? In other words a Windows Server. If it is and the Windows System Admin has created a DNS entry for your server then make sure there is a Reverse Pointer entry for your server. Make sure the Windows System Admin uses the KNWS3135.ad.esad.net as the FQDN (fully qualified domain name). Enter the AD Server’s IP address as the Primary IP Address in the DNS Server Field on your server and then issue this command:
  host KNWS3135.ad.ewsad.net
  You should see something like this:
  KNWS3135.ad.ewsad.net has address 10.31.3.135
  follow this with:
  host 10.31.3.135
  You should see something like this:
  135.3.31.10.in-addr.arpa domain name pointer KNWS3135.ad.ewsad.net.
  If you are seeing this after you have made sure the Windows System Admin has created the relevant PTR entry for your server then issue the changeip command again:
  sudo changeip -checkhostname
  This time it should report 'the names match there is nothing to change'
  Hope this helps, Tony

• Sol9 X86 copy mini root / nothing happens

  Hi there,
  I install Sol9 X86 on Dual-Xeon. Solaris 8 worked fine. That happened:
  Copying mini-root to local disk.# \
  First I "hear" that there will something be copyied to disk, but than the slash rotates and nothing more happens.
  Any idea or experience?
  Heiko

  Hi J.,
  You are right. I would say ... this is really buggy. Sure, with Disk 2 I can install the system. But now, it doesn't boot anymoore. Now the /etc/bootrc won't be found. First I thought there was something wrong with the devices. But the devices seems to be ok. I can install Solaris 8 without any problems even from the installation disk.
  I paid 20$ for the download. I can't accept that I can't change the OS to a new release. I don't need functionality like browsing web, or some unnecessary playground. I need a system that I can install without compiling a kernel. I don't want to think about hardware problems. I also plan to buy the workgroup licenses.
  Maybe you will ask, why I use X86? I have 6 powerfull Xeonsystems. I want to use the new pam-ldap modules.
  I think about, if it is my job to check the startinstall and dependent scripts or what is going wrong inside the installation.
  So, what should I do? In one weak I have to present the new company infrastructur. Should I kick Solaris?
  I am really disappointed and angry (not to you, but on the product).
  Do you have an idea?
  I will post this also in a single thread.
  Thanks for your help.
  Heiko

• Parallize user creation/update

  I'm managing an IDM installation where I have a resource group of about 30 servers (and counting) and whenever I need ot create a new user on all of these or simply update a user, it takes forever to finish. It seems that IDM don't take advantage of an obvious chance of parallizing this task and instead sequentially logs on to server 1, makes the update, then logs in to server 2, makes update and so on...
  With our 30 servers an update (or simply status on where a user has accounts) sometimes takes over 2 minutes. Many of the updates are run using shellscript adapters as there doesn't exist native adapters for these OS's (linux and freebsd) and these shelladapters seem to run slower than standard java adapters.
  Is there something that can be done to make IDM work in parallel and not in seriel? (IDM 7)

  Hej Thomas,
  there are three things that come to my mind reading your question:
  1) In the waveset.properties there is a setting provisioner.maxThreads increasing this might increase the parallel handling of accounts for you. I say might because I assume that quite a few settings in the waveset.properties don't do anything at all and remain in there for legacy reasons.
  2) If you are dealing with an environment where people tend to have dozens or hundreds of accounts of a similar type(a project about Unix admins or programmers) the right answer might be to point out things like PAM LDAP.
  3) If the IDM solution has to fetch 100 accounts from 100 servers deployed from azerbaijan to zimbabwe this can not be done online within reasonable time. You need to think about a way of automating this with scripts deployed on the servers.
  Regards,
  Patrick

• Solatis 10 + pam + DSEE6.1 + su/sudo

  Hello All
  We are deploying a new LDAP infrastructure and I have been struggling with Sun JES DSEE6.1/6.0 for the last months. After a long battle, I have Solaris 8 and 9 boxes authenticating against an LDAP server. Solaris 10 is partially working with LDAP but I have a very strange behavior.
  The same pam.conf is in use in all three servers but Solaris 10 is presenting the following problem:
  [SunOS 5.10/bash] p661210@wgls01:/export/home/p661210
  $ sudo su -
  Password:
  su: unable to set credentials
  [SunOS 5.10/bash] p661210@wgls01:/export/home/p661210
  $ su -
  Password:
  su: Sorry
  [SunOS 5.10/bash] p661210@wgls01:/export/home/p661210
  $ su -
  Password:
  su: Sorrythe same pam.conf (below) is in use for all servers and only Solaris 10 is with problems:
  login   auth requisite          pam_authtok_get.so.1 debug
  login   auth required           pam_dhkeys.so.1 debug
  login   auth required           pam_dial_auth.so.1 debug
  login   auth binding            pam_unix_auth.so.1 server_policy debug
  login   auth required           pam_ldap.so.1 use_first_pass debug
  rlogin  auth sufficient         pam_rhosts_auth.so.1
  rlogin  auth requisite          pam_authtok_get.so.1
  rlogin  auth required           pam_dhkeys.so.1
  rlogin  auth binding            pam_unix_auth.so.1 server_policy
  rlogin  auth required           pam_ldap.so.1 use_first_pass debug
  dtlogin auth requisite          pam_authtok_get.so.1
  dtlogin auth required           pam_dhkeys.so.1
  dtlogin auth binding            pam_unix_auth.so.1 server_policy
  dtlogin auth required           pam_ldap.so.1 use_first_pass debug
  rsh     auth sufficient         pam_rhosts_auth.so.1
  rsh     auth binding            pam_unix_auth.so.1 server_policy
  rsh     auth required           pam_ldap.so.1 use_first_pass debug
  ppp     auth requisite          pam_authtok_get.so.1
  ppp     auth required           pam_dhkeys.so.1
  ppp     auth binding            pam_unix_auth.so.1 server_policy
  ppp     auth required           pam_dial_auth.so.1
  ppp     auth required           pam_ldap.so.1 use_first_pass debug
  dtsession auth requisite       pam_authtok_get.so.1
  dtsession auth required        pam_dhkeys.so.1
  dtsession auth binding         pam_unix_auth.so.1 server_policy
  dtsession auth required        pam_ldap.so.1 debug
  other   auth requisite          pam_authtok_get.so.1 debug
  other   auth sufficient         pam_dhkeys.so.1 debug
  other   auth binding            pam_unix_auth.so.1 server_policy debug
  other   auth required           pam_ldap.so.1 use_first_pass debug
  passwd  auth binding            pam_passwd_auth.so.1 debug server_policy
  passwd  auth required           pam_ldap.so.1 try_first_pass debug
  login   account requisite       pam_roles.so.1
  login   account required        pam_projects.so.1
  login   account binding         pam_unix_account.so.1 server_policy
  loign   account required        pam_ldap.so.1 debug
  cron    account required        pam_projects.so.1
  cron    account required        pam_unix_account.so.1
  dtlogin account requisite       pam_roles.so.1
  dtlogin account required        pam_projects.so.1
  dtlogin account binding         pam_unix_account.so.1 server_policy
  dtlogin account required        pam_ldap.so.1 debug
  ppp     account requisite       pam_roles.so.1
  ppp     account required        pam_projects.so.1
  ppp     account required        pam_unix_account.so.1 server_policy
  other   account requisite       pam_roles.so.1
  other   account required        pam_projects.so.1
  other   account binding         pam_unix_account.so.1 server_policy
  other   account required        pam_ldap.so.1 debug
  ppp     session required        pam_unix_session.so.1
  other   session required        pam_unix_session.so.1
  other   session required        pam_mkhomedir.so.1 skel=/etc/skel umask=0022
  other   password required       pam_dhkeys.so.1 debug
  other   password requisite      pam_authtok_get.so.1 debug
  other   password requisite      pam_authtok_check.so.1 debug
  other   password sufficient     pam_authtok_store.so.1 server_policy debug
  other   password required       pam_ldap.so.1 debugAny ideas?

  Problem fixed.
  Solaris 10 requires a different pam.conf. For every entry with
  login   auth binding            pam_unix_auth.so.1 server_policyit is necessary to replace by
  login   auth binding            pam_unix_cred.so.1
  login   auth binding            pam_unix_auth.so.1 server_policyPS: The "login" needs to be replaced by the correct service name
  Andreas

• Pam.conf does not use ldap for password length check when changing passwd

  I have already posted this in the directory server forum but since it is to do with pam not using ldap I thought there might be some pam experts who check this forum.
  I have dsee 6.0 installed on a solaris 10 server (client).
  I have a solaris 9 server (server) set up to use ldap authentication.
  bash-2.05# cat /var/ldap/ldap_client_file
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_FILE_VERSION= 2.0
  NS_LDAP_SERVERS= X, Y
  NS_LDAP_SEARCH_BASEDN= dc=A,dc= B,dc= C
  NS_LDAP_AUTH= tls:simple
  NS_LDAP_SEARCH_REF= FALSE
  NS_LDAP_SEARCH_SCOPE= one
  NS_LDAP_SEARCH_TIME= 30
  NS_LDAP_SERVER_PREF= X.A.B.C, Y.A.B.C
  NS_LDAP_CACHETTL= 43200
  NS_LDAP_PROFILE= tls_profile
  NS_LDAP_CREDENTIAL_LEVEL= proxy
  NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=People,dc=A,dc=B,dc=com?one
  NS_LDAP_SERVICE_SEARCH_DESC= group:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_SERVICE_SEARCH_DESC= shadow:ou=People,dc=A,dc=B,dc=C?one
  NS_LDAP_BIND_TIME= 10
  bash-2.05# cat /var/ldap/ldap_client_cred
  # Do not edit this file manually; your changes will be lost.Please use ldapclient (1M) instead.
  NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=A,dc=B,dc=C
  NS_LDAP_BINDPASSWD= {NS1}6ff7353e346f87a7
  bash-2.05# cat /etc/nsswitch.conf
  # /etc/nsswitch.ldap:
  # An example file that could be copied over to /etc/nsswitch.conf; it
  # uses LDAP in conjunction with files.
  # "hosts:" and "services:" in this file are used only if the
  # /etc/netconfig file has a "-" for nametoaddr_libs of "inet" transports.
  # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
  passwd: files ldap
  group: files ldap
  # consult /etc "files" only if ldap is down.
  hosts: files dns
  ipnodes: files
  # Uncomment the following line and comment out the above to resolve
  # both IPv4 and IPv6 addresses from the ipnodes databases. Note that
  # IPv4 addresses are searched in all of the ipnodes databases before
  # searching the hosts databases. Before turning this option on, consult
  # the Network Administration Guide for more details on using IPv6.
  #ipnodes: ldap [NOTFOUND=return] files
  networks: files
  protocols: files
  rpc: files
  ethers: files
  netmasks: files
  bootparams: files
  publickey: files
  netgroup: ldap
  automount: files ldap
  aliases: files ldap
  # for efficient getservbyname() avoid ldap
  services: files ldap
  sendmailvars: files
  printers: user files ldap
  auth_attr: files ldap
  prof_attr: files ldap
  project: files ldap
  bash-2.05# cat /etc/pam.conf
  #ident "@(#)pam.conf 1.20 02/01/23 SMI"
  # Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # PAM configuration
  # Unless explicitly defined, all services use the modules
  # defined in the "other" section.
  # Modules are defined with relative pathnames, i.e., they are
  # relative to /usr/lib/security/$ISA. Absolute path names, as
  # present in this file in previous releases are still acceptable.
  # Authentication management
  # login service (explicit because of pam_dial_auth)
  login auth requisite pam_authtok_get.so.1 debug
  login auth required pam_dhkeys.so.1 debug
  login auth required pam_dial_auth.so.1 debug
  login auth binding pam_unix_auth.so.1 server_policy debug
  login auth required pam_ldap.so.1 use_first_pass debug
  # rlogin service (explicit because of pam_rhost_auth)
  rlogin auth sufficient pam_rhosts_auth.so.1
  rlogin auth requisite pam_authtok_get.so.1
  rlogin auth required pam_dhkeys.so.1
  rlogin auth binding pam_unix_auth.so.1 server_policy
  rlogin auth required pam_ldap.so.1 use_first_pass
  # rsh service (explicit because of pam_rhost_auth,
  # and pam_unix_auth for meaningful pam_setcred)
  rsh auth sufficient pam_rhosts_auth.so.1
  rsh auth required pam_unix_auth.so.1
  # PPP service (explicit because of pam_dial_auth)
  ppp auth requisite pam_authtok_get.so.1
  ppp auth required pam_dhkeys.so.1
  ppp auth required pam_dial_auth.so.1
  ppp auth binding pam_unix_auth.so.1 server_policy
  ppp auth required pam_ldap.so.1 use_first_pass
  # Default definitions for Authentication management
  # Used when service name is not explicitly mentioned for authenctication
  other auth requisite pam_authtok_get.so.1 debug
  other auth required pam_dhkeys.so.1 debug
  other auth binding pam_unix_auth.so.1 server_policy debug
  other auth required pam_ldap.so.1 use_first_pass debug
  # passwd command (explicit because of a different authentication module)
  passwd auth binding pam_passwd_auth.so.1 server_policy debug
  passwd auth required pam_ldap.so.1 use_first_pass debug
  # cron service (explicit because of non-usage of pam_roles.so.1)
  cron account required pam_projects.so.1
  cron account required pam_unix_account.so.1
  # Default definition for Account management
  # Used when service name is not explicitly mentioned for account management
  other account requisite pam_roles.so.1 debug
  other account required pam_projects.so.1 debug
  other account binding pam_unix_account.so.1 server_policy debug
  other account required pam_ldap.so.1 no_pass debug
  # Default definition for Session management
  # Used when service name is not explicitly mentioned for session management
  other session required pam_unix_session.so.1
  # Default definition for Password management
  # Used when service name is not explicitly mentioned for password management
  other password required pam_dhkeys.so.1 debug
  other password requisite pam_authtok_get.so.1 debug
  other password requisite pam_authtok_check.so.1 debug
  other password required pam_authtok_store.so.1 server_policy debug
  # Support for Kerberos V5 authentication (uncomment to use Kerberos)
  #rlogin auth optional pam_krb5.so.1 try_first_pass
  #login auth optional pam_krb5.so.1 try_first_pass
  #other auth optional pam_krb5.so.1 try_first_pass
  #cron account optional pam_krb5.so.1
  #other account optional pam_krb5.so.1
  #other session optional pam_krb5.so.1
  #other password optional pam_krb5.so.1 try_first_pass
  I can ssh into client with user VV which does not exist locally but exists in the directory server. This is from /var/adm/messages on the ldap client):
  May 17 15:25:07 client sshd[26956]: [ID 634615 auth.debug] pam_authtok_get:pam_sm_authenticate: flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 896952 auth.debug] pam_unix_auth: entering pam_sm_authenticate()
  May 17 15:25:11 client sshd[26956]: [ID 285619 auth.debug] ldap pam_sm_authenticate(sshd VV), flags = 0
  May 17 15:25:11 client sshd[26956]: [ID 509786 auth.debug] roles pam_sm_authenticate, service = sshd user = VV ruser = not set rhost = h.A.B.C
  May 17 15:25:11 client sshd[26956]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:25:11 client sshd[26956]: [ID 724664 auth.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:25:11 client sshd[26956]: [ID 100510 auth.debug] ldap pam_sm_acct_mgmt(VV), flags = 0
  May 17 15:25:11 client sshd[26953]: [ID 800047 auth.info] Accepted keyboard-interactive/pam for VV from 10.115.1.251 port 2703 ssh2
  May 17 15:25:11 client sshd[26953]: [ID 914923 auth.debug] pam_dhkeys: no valid mechs found. Trying AUTH_DES.
  May 17 15:25:11 client sshd[26953]: [ID 499478 auth.debug] pam_dhkeys: get_and_set_seckey: could not get secret key for keytype 192-0
  May 17 15:25:11 client sshd[26953]: [ID 507889 auth.debug] pam_dhkeys: mech key totals:
  May 17 15:25:11 client sshd[26953]: [ID 991756 auth.debug] pam_dhkeys: 0 valid mechanism(s)
  May 17 15:25:11 client sshd[26953]: [ID 898160 auth.debug] pam_dhkeys: 0 secret key(s) retrieved
  May 17 15:25:11 client sshd[26953]: [ID 403608 auth.debug] pam_dhkeys: 0 passwd decrypt successes
  May 17 15:25:11 client sshd[26953]: [ID 327308 auth.debug] pam_dhkeys: 0 secret key(s) set
  May 17 15:25:11 client sshd[26958]: [ID 965073 auth.debug] pam_dhkeys: cred reinit/refresh ignored
  If I try to then change the password with the `passwd` command it does not use the password policy on the directory server but the default defined in /etc/default/passwd
  bash-2.05$ passwd
  passwd: Changing password for VV
  Enter existing login password:
  New Password:
  passwd: Password too short - must be at least 8 characters.
  Please try again
  May 17 15:26:17 client passwd[27014]: [ID 285619 user.debug] ldap pam_sm_authenticate(passwd VV), flags = 0
  May 17 15:26:17 client passwd[27014]: [ID 509786 user.debug] roles pam_sm_authenticate, service = passwd user = VV ruser = not set rhost = not set
  May 17 15:26:17 client passwd[27014]: [ID 579461 user.debug] pam_unix_account: entering pam_sm_acct_mgmt()
  May 17 15:26:17 client passwd[27014]: [ID 724664 user.debug] pam_ldap pam_sm_acct_mgmt: illegal option no_pass
  May 17 15:26:17 client passwd[27014]: [ID 100510 user.debug] ldap pam_sm_acct_mgmt(VV), flags = 80000000
  May 17 15:26:17 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:17 client passwd[27014]: [ID 988707 user.debug] read_authtok: Copied AUTHTOK to OLDAUTHTOK
  May 17 15:26:20 client passwd[27014]: [ID 558286 user.debug] pam_authtok_check: pam_sm_chauthok called
  May 17 15:26:20 client passwd[27014]: [ID 271931 user.debug] pam_authtok_check: minimum length from /etc/default/passwd: 8
  May 17 15:26:20 client passwd[27014]: [ID 985558 user.debug] pam_dhkeys: entered pam_sm_chauthtok()
  May 17 15:26:20 client passwd[27014]: [ID 417489 user.debug] pam_dhkeys: OLDRPCPASS already set
  I am using the default policy on the directory server which states a minimum password length of 6 characters.
  server:root:LDAP_Master:/var/opt/SUNWdsee/dscc6/dcc/ads/ldif#dsconf get-server-prop -h server -p 389|grep ^pwd-
  pwd-accept-hashed-pwd-enabled : N/A
  pwd-check-enabled : off
  pwd-compat-mode : DS6-mode
  pwd-expire-no-warning-enabled : on
  pwd-expire-warning-delay : 1d
  pwd-failure-count-interval : 10m
  pwd-grace-login-limit : disabled
  pwd-keep-last-auth-time-enabled : off
  pwd-lockout-duration : disabled
  pwd-lockout-enabled : off
  pwd-lockout-repl-priority-enabled : on
  pwd-max-age : disabled
  pwd-max-failure-count : 3
  pwd-max-history-count : disabled
  pwd-min-age : disabled
  pwd-min-length : 6
  pwd-mod-gen-length : 6
  pwd-must-change-enabled : off
  pwd-root-dn-bypass-enabled : off
  pwd-safe-modify-enabled : off
  pwd-storage-scheme : CRYPT
  pwd-strong-check-dictionary-path : /opt/SUNWdsee/ds6/plugins/words-english-big.txt
  pwd-strong-check-enabled : off
  pwd-strong-check-require-charset : lower
  pwd-strong-check-require-charset : upper
  pwd-strong-check-require-charset : digit
  pwd-strong-check-require-charset : special
  pwd-supported-storage-scheme : CRYPT
  pwd-supported-storage-scheme : SHA
  pwd-supported-storage-scheme : SSHA
  pwd-supported-storage-scheme : NS-MTA-MD5
  pwd-supported-storage-scheme : CLEAR
  pwd-user-change-enabled : off
  Whereas /etc/default/passwd on the ldap client says passwords must be 8 characters. This is seen with the pam_authtok_check: minimum length from /etc/default/passwd: 8
  . It is clearly not using the policy from the directory server but checking locally. So I can login ok using the ldap server for authentication but when I try to change the password it does not use the policy from the server which says I only need a minimum lenght of 6 characters.
  I have read that pam_ldap is only supported for directory server 5.2. Because I am running ds6 and with password compatability in ds6 mode maybe this is my problem. Does anyone know of any updated pam_ldap modules for solaris 9?
  Edited by: ericduggan on Sep 8, 2008 5:30 AM

  you can try passwd -r ldap for changing the ldap passwds...

• Authentification ldap,pam.d on solaris 11

  Hi,
  I tested ldap authentification on Solaris 11 and I didn't succeed in ssh connection.
  I succeed in viewing ldap users (getent passwd) and i modified /etc/pam.d/login other and passwd
  with "auth required pam_ldap

  Hi,
  Try to change the following two files: /etc/pam.d/login and /etc/pam.d/other
  Change the line that states:
  auth required    
  pam_unix_auth.so.1
  to
  auth binding      
  pam_unix_auth.so.1 server_policy
  auth required     
  pam_ldap.so.1
  Did you also checked the attributemapping for the LDAP client?
  svccfg -s network/ldap/client setprop config/attribute_map= astring: '("shadow:homeDirectory=unixHomeDirectory" "shadow:description=distinguishedName" "shadow:uid=samaccountname" "shadow:gidnumber=primaryGroupID" "shadow:uidnumber=uidNumber" "shadow:gecos=displayName" "passwd:homeDirectory=unixHomeDirectory" "passwd:description=distinguishedName" "passwd:uid=samaccountname" "passwd:gidnumber=primaryGroupID" "passwd:uidnumber=uidNumber" "passwd:gecos=displayName")'
  svccfg -s network/ldap/client setprop config/objectclass_map= astring: '("group:posixGroup=group" "shadow:shadowAccount=person" "shadow:posixAccount=user" "passwd:shadowAccount=person" "passwd:posixAccount=user")'
  what does getent passwd username say? Does it return all the necessary fields (uid, gid etc.)?
  While configuring the LDAP client to point to our Microsoft AD I use the AD property uidNumber which I manually set to the last part of the objectSID property to keep it unique within the domain.
  Kind regards,
  Lambert

• PAM config for LDAP and ssh

  Hi
  I'm trying to get ssh working with ldap clients on solaris 10. I have managed to configure the client so I can query the DS using ldaplist -l passwd and group, but now i'm scratching my head a little with the ssh/pam.conf side of things.
  The goal is to have *NP in the password field for all users and use ssh-agents for authentication. User account info and rbac data is held in ldap. SSH-ing into a host configured as an ldap client gets me thus far, from the sshd output on the host i'm connecting to:
  Found matching DSA key: 21:98:d1:9d:dd:d4:72:9d:c2:a5:20:40:16:27:4c:a9
  debug1: restore_uid: 0/0
  debug1: ssh_dss_verify: signature correct
  debug2: Starting PAM service sshd-pubkey for method publickey
  debug3: Trying to reverse map address 10.3.52.128.
  debug2: userauth_pubkey: authenticated 0 pkalg ssh-dss
  Failed publickey for asilc from 10.3.52.128 port 1966 ssh2
  debug1: userauth-request for user asilc service ssh-connection method keyboard-interactive
  debug1: attempt 3 initial attempt 0 failures 3 initial failures 0
  debug2: input_userauth_request: try method keyboard-interactive
  debug1: keyboard-interactive devsFailed keyboard-interactive for user from 10.3.52.128 port 2109 ssh2
  Received disconnect from 10.3.52.128: 14: No supported authentication methods available
  Then i'm kicked out as there's nothing left to do. It looks as if the key is accepted but I think then something in my pam stack is kicking me out.
  The debug for PAM gives me:
  Jun 8 11:11:21 donatello sshd[5653]: [ID 206471 auth.debug] PAM[5653]: pam_acct_mgmt(80cbfa0, 0): error No account present for user
  Jun 8 11:11:21 donatello sshd[5653]: [ID 737214 auth.debug] PAM[5653]: pam_set_item(80cbfa0:authtok)
  Jun 8 11:11:26 donatello sshd[5653]: [ID 737214 auth.debug] PAM[5653]: pam_set_item(80cbfa0:conv)
  Jun 8 11:11:26 donatello sshd[5653]: [ID 159459 auth.debug] PAM[5653]: pam_end(80cbfa0): status = No account present for user
  the ssh lines in my pam.conf:
  sshd account binding pam_ldap.so.1 debug
  sshd password sufficient pam_ldap.so.1 debug
  Lines in sshd_config:
  PasswordAuthentication no
  PermitEmptyPasswords no
  PAMAuthenticationViaKBDInt no
  Can anyone help point me in the right direction?

  Do you see anything in your directory server access log ? If not, there's probably something wrong on the sshd host .
  Do you have the latest available patches for pam_ldap ?
  Are you sure of your pam stack configuration (check this: http://download.oracle.com/docs/cd/E18752_01/html/816-4556/schemas-111.html)

• Using PAM for LDAP authentication

  Good Day All,
  I want to know how I can use PAM to enable users authenticate to my Solaris 9 Box using an existing LDAP server.I would appreciate if the explanation is simpler and more detailed as I am new to this stuff.Also is there any othe means like an open source solution so that users can use a centrailzed authentication server so that users gain access to a solaris box without going for a local /etc/passwd and /etc/shadow files.

  It depends on what LDAP Server you used.
  The steps are more than just the pam_ldap configuration.
  You may find the following how-to useful or not at all.
  http://web.singnet.com.sg/~garyttt/
  HTH
  Gary

• Help with extending schema for redhat ldap sudo integration.

  Hi all,
  I've done LDAP administration for a few years, but I'm new to Directory server and I'm a bit stuck. I want to apply a custom schema and allow sudoers in our CentOs (Redhat) Linux servers. They're authenticating correctly, but I can't get sudoers to work. I've followed this documentation to update my schema.
  http://kbase.redhat.com/faq/docs/DOC-2057
  I'm having issues with the step that creates the SUDOers group as the following.
  dn: ou=SUDOers,dc=example,dc=com
  objectClass: top
  objectClass: organizationalUnit
  ou: SUDOers
  I want to make administration easy via the Workgroup manager so I don't have to manually add users to this group via ldif files. When I create a sudoers group via the workgroup manager, I get this dn
  cn=sudoers,cn=groups,dc=spidertracks,dc=local
  As you can see, it's a cn, not an ou. Furthermore, how do I get the defaults in the sudoer's group so that redhat recognizes the setup, but users can be assigned via the workgroup manager?
  Thanks,
  Todd

  Anyways , I've created an LDIF for Active Directory with theses attributes and class objects.
  Don't really know if this is needed inside AD or not.
  If anyone wants these LDIFs for some reason, drop me a line. Keep in mind that they are a work in progress, so, if you find anything you dont like and would like to change it, please do let me know so I can update my versions aswell.
  If anyone got any idea regarding the last questions I posted, please do let me know aswell
  Rp