topic Re: LDAP User could not access system in Operating System - Linux

LDAP User could not access system

Gary L — Fri, 26 Oct 2007 09:46:51 GMT

Hi

We have two RedHat ES4U4 server, server2 is LDAP server, server1 use LDAP Brower Edit to access LDAP server and add/remove users.

But, currently, we met a problem: lots of LDAP users could not access server1.

1. I have tried to reset their password from LDAP sever via "lbe" on server1, but it doen't work.

2. I did the below command as root user, but got this error.
# su u367
su: incorrect password
correct users I could did # su comand

How to fix this kind of problem?
Any answers will be very appreciate

Re: LDAP User could not access system

Gary L — Fri, 26 Oct 2007 09:47:58 GMT

Sorry, two RH ES3 update 4 server.

server1 has set use LDAP and LDAP server is server2.

Re: LDAP User could not access system

Ivan Ferreira — Fri, 26 Oct 2007 10:48:39 GMT

what is the output of:

id u367
getent passwd |grep u367

Are these users in the same organizational unit?

Re: LDAP User could not access system

Gary L — Fri, 26 Oct 2007 10:56:45 GMT

Hi Ivan

Thank you very much for your fast reply, below are the output:

#id j367
uid=10367(j367) gid=100(users) groups=100(users)

# getent passwd |grep j367
j367t:x:20011:100::/home/j367t:/bin/ksh
j367:x:10367:100:j367:/home/j367:/bin/ksh

There users are in the same unit.

Re: LDAP User could not access system

Ivan Ferreira — Fri, 26 Oct 2007 11:18:34 GMT

Can you please post what you receive when you do:

su - u367
ssh -l u367 localhost

Right after that:
tail /var/log/secure

Check the output of:

finger u367

Check the permissions of the users's home directory.

I would like to see the following files:

more /etc/pam.d/su
more /etc/pam.d/system-auth

Re: LDAP User could not access system

Gary L — Fri, 26 Oct 2007 12:57:19 GMT

Thanks Ivan

I could not show the output right now, because probably, my boss solved this problem. he just ran command "faillog -p / -r", all failure LDAP user worked.

I have no idea why

Could you please explain this?

Re: LDAP User could not access system

Ivan Ferreira — Fri, 26 Oct 2007 13:00:48 GMT

The "faillog -r" maybe was the solution. This resets the failure count. Probably, the system has configure pam_tally, to deny the login if more than "N" authentication failures was intented. Resetting the login failure count will solve the problem.

You will see pam_tally relates messages to /var/log/messages denying the login.

Re: LDAP User could not access system

Gary L — Fri, 26 Oct 2007 13:04:03 GMT

Thanks Ivan

Have a good weekend.

Re: LDAP User could not access system

skt_skt — Tue, 30 Oct 2007 14:17:51 GMT

yes; failog fixed your problem

Following entry/file limits the account to be locked/disabled after five login failure.

# grep LOGIN_RETRIES /etc/login.defs
LOGIN_RETRIES 5

# pam_tally --user kumarts
User kumarts (19806) has 10

# faillog -r kumarts

# pam_tally --user kumarts
User kumarts (19806) has 0

Once it is reset to zero ; you would be able to login.

Re: LDAP User could not access system

Gary L — Tue, 30 Oct 2007 14:20:51 GMT

Hi Santhosh

Thank you very much for your suggestions

Have a great day

-Gary

Re: LDAP User could not access system

skt_skt — Tue, 30 Oct 2007 14:28:32 GMT

see this too

# grep account /etc/pam.d/system-auth
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset

Re: LDAP User could not access system

Gary L — Tue, 30 Oct 2007 14:28:56 GMT

Normally, when we execute command " failog -m #", How to set the value of max number?

Re: LDAP User could not access system

Gary L — Tue, 30 Oct 2007 14:31:48 GMT

In my /etc/login.defs file, no LOGIN_RETRIES setting. Should I set it, value?

and
no entries of account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset in my system-auth file.

Re: LDAP User could not access system

Ivan Ferreira — Tue, 30 Oct 2007 14:35:11 GMT

>> How to set the value of max number?

As described in the previous post, the system-auth file specifies the maximum.

Re: LDAP User could not access system

Gary L — Tue, 30 Oct 2007 14:40:59 GMT

Your mean, If I wanna do the login failure tally, I should add below entry:
account required pam_tally.so deny=5 no_magic_root
in /etc/pam.d/system-auth. "5" is the max faulure attempt value, right? If the user failure five times, the system will block his account or do nothing? If the account be blocked by over the limitation, as the system admin how to help him? faillog -r?

Re: LDAP User could not access system

Gary L — Tue, 30 Oct 2007 14:42:23 GMT

Hi Santhosh

What't the means of "reset" in the end of the line ...deny=5 no_magic_root reset

thanks guys

Re: LDAP User could not access system

Ivan Ferreira — Tue, 30 Oct 2007 14:53:31 GMT

For full informatio about pam_tally, please see:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html

And yes, the administrator must reset the counter to enable access to the account (the account is not disabled, it cannot login by PAM restrictions, is different from usermod -L).

Re: LDAP User could not access system

Gary L — Tue, 30 Oct 2007 16:20:56 GMT

Thanks a lot Ivan