- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- Re: Centralized authentication with LDAP - failing
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2013 02:30 AM
02-25-2013 02:30 AM
Hello,
We are trying to centralize the OS authentication with LDAP using OID (Oracle internet Directory).
It works fine with our Linux servers on different flavours; but on HP-UX its failing.
Below is the snippet from the ssh debug session:
$ ssh -vvv srinivas.kalyan@jnmddb01
.
.
.
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
LDAP Password:
debug3: packet_send2: adding 32 (len 26 padlen 6 extra_pad 64)
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug3: packet_send2: adding 48 (len 10 padlen 6 extra_pad 64)
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug3: ssh_session2_open: channel_new: 0
debug2: channel 0: send open
debug1: Entering interactive session.
debug1: channel 0: free: client-session, nchannels 1
debug3: channel 0: status: The following connections are open:
#0 client-session (t3 r-1 i0/0 o0/0 fd 4/5 cfd -1)
debug3: channel 0: close_fds r 4 w 5 e 6 c -1
Connection to jnmddb01 closed by remote host.
Connection to jnmddb01 closed.
debug1: Transferred: stdin 0, stdout 0, stderr 79 bytes in 0.4 seconds
debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 193.3
debug1: Exit status -1
The user-id is recognised from the LDAP integration commands like beq, pwget:
$ /opt/ldapux/contrib/bin/beq -k n -s pwd -l /usr/lib/hpux32/libnss_ldap.so.1 srinivas.kalyan -H 5
nss_status .............. NSS_SUCCESS
pw_name...........(srinivas.kalyan)
pw_passwd.........(*)
pw_uid............(506)
pw_gid............(501)
pw_age............()
pw_comment........()
pw_gecos..........(srinivas.kalyan)
pw_dir............(/home/srinivas.kalyan)
pw_shell..........(/bin/bash)
pw_audid..........(0)
pw_audflg.........(0)
jnmddb01::root>nsquery passwd srinivas.kalyan
Using "files ldap" for the passwd policy.
Searching /etc/passwd for srinivas.kalyan
srinivas.kalyan was NOTFOUND
Switch configuration: Allows fallback
Searching ldap for srinivas.kalyan
User name: srinivas.kalyan
User Id: 506
Group Id: 501
Gecos: srinivas.kalyan
Home Directory: /home/srinivas.kalyan
Shell: /bin/bash
Switch configuration: Terminates Search
$ pwget -n srinivas.kalyan
srinivas.kalyan:*:506:501:srinivas.kalyan:/home/srinivas.kalyan:/bin/bash
Is there any other configuration required from the PAM?
Any pointers to solve this will be highly appreciated!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2013 03:04 AM - edited 02-25-2013 03:12 AM
02-25-2013 03:04 AM - edited 02-25-2013 03:12 AM
Re: Centralized authentication with LDAP - failing
The SSH client debug output includes:
> debug1: Authentication succeeded (keyboard-interactive).
and:
> debug1: Entering interactive session.
These would suggest that the authentication phase has been successfully completed and a login session is starting, but then something causes the session to immediately end. So the problem might not be authentication, but perhaps something else, like not being able to start the configured shell.
First, check the basics:
- is the home directory /home/srinivas.kalyan accessible?
- the shell is listed as /bin/bash in LDAP. Does /bin/bash exist in this system?
- is /bin/bash working normally? (I think some old versions of bash had a bug that caused sessions to die like this on some versions of HP-UX. Maybe on 11.23 and PA-RISC?)
- does /etc/shells exist, and is /bin/bash listed in it?
(If /etc/shells does not exist, the system uses a hard-coded list of standard shells. See "man getusershell". If you create /etc/shells, you should add the standard shells to it too.)
- do you have a custom shell startup script (~/.profile, ~/.bash_profile or ~/.bashrc) which might end the session automatically if some conditions are true? Does /etc/profile have any customizations?
You should also look at /var/adm/syslog/syslog.log on the server: when login fails, sshd usually logs a sensible error message. For security reasons, this error message is not sent to the client. (No reason to tell a possible intruder exactly why his/her intrusion attempt failed. A legitimate user can contact the server administrator and get the information that way.)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-27-2013 01:39 AM
02-27-2013 01:39 AM
Re: Centralized authentication with LDAP - failing
Thanks MK for your response.
The issue seems to be due to inability of HP-UX to create users with more than 8 characters as we are trying to map the AD user-id to the unix user.
May be should try enabling the long username option of 11.31?!
Thanks,
Srividhya
- Tags:
- long usernames
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2013 01:37 AM