General
cancel
Showing results for 
Search instead for 
Did you mean: 

password-length on 11.11, using LDAP/KRB > Windows AD

SOLVED
Go to solution
Danny Petterson - DK
Trusted Contributor

password-length on 11.11, using LDAP/KRB > Windows AD

Hi Guru's!

I have a great deal of 11.11-boxes running LDAP/KRB to validate users against Windows AD - and it works like a charm.

However, on two servers I have a problem - it wont work, unless I uncomment pammkdir-modules from pam.conf - and then it cuts the username to 8 characters. All the users has passwords like xx.xxx.admin, which then, in the short version, becomes xx.xxx.a - a bit anoying might I add.

I suspect it to be a patch-problem, maybe libpam-cumulative patch, which on the culprit is PHCO_24839 - but Im not sure. I could install the newest version, but with the dependencies it requires a reboot, which is not easily allowed...so what I really would like to know - IS this the problem? Or is it/could it be something else?

Thanx alot for your time.

Yours
Danny Petterson
2 REPLIES
Steven E. Protter
Exalted Contributor
Solution

Re: password-length on 11.11, using LDAP/KRB > Windows AD

Shalom,

swlist -l product | grep PH > file1
# on a working system

same command on a problem system.

diff the two files.

You will see if there is a patch issue.

Answer: It could be something else but I think your research work is very good and you have a high probability of succeeding with this patch.

I also have what is a very rare request, which is to see how you did the integration. I had some trouble with the same project and traced it to missing patches on the windows side.

My contact page on http://www.isnamerica.com or http://www.hpuxconsulting.com can transmit me an email.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Danny Petterson - DK
Trusted Contributor

Re: password-length on 11.11, using LDAP/KRB > Windows AD

Hi again!

Hm - Im getting a bit furhter here - its the PAMmkdir 10.00-1.0 which is killing it - when I enable that module in pam.conf it goes wrong:


eb 6 10:47:26 gaab01F sshd[13087]: Accepted keyboard-interactive/pam for dpe.it.admin from 10.45.255.79 port 49094 ssh2
Feb 6 10:47:27 gaab01F sshd[13087]: getpwnam is failed
Feb 6 10:47:27 gaab01F sshd[13087]: error: PAM: pam_open_session(): Insufficient credentials
Feb 6 10:47:27 gaab01F sshd[13090]: getpwnam is failed
Feb 6 10:47:27 gaab01F sshd[13090]: SSH: Server;LType: Throughput;Remote: 10.45.255.79-49094;IN: 384;OUT: 256;Duration: 0.1;tPut_in: 4320.0;tPut_out: 2880.0
Feb 6 10:47:27 gaab01F sshd[13087]: fatal: login_init_entry: Cannot find user "dpe.it.admin"

But if I disable pammkdir in pam.conf it actaully can log users on from AD, but it does not create the homedir, maiing "/" the default home for all AD-users....

Any ideas?

Thanx in advance.

Yours
Danny