- Integrated Systems
- About Us
- Integrated Systems
- About Us
02-10-2012 12:29 PM - edited 02-10-2012 12:54 PM
LDAP user cannot login to one server but can on others.
I have an LDAP user that cannot login to one particular box but can on others. Other LDAP users can login fine.
His password has been reset on LDAP server. I have restarted ssh and ldapclient.
GOLDAPPS11i B.11.11.0912.483 Applications Patches for HP-UX 11i v1, December 2009
J4269AA B.04.17 LDAP-UX Integration
System is setup to use LDAP and trusted local accounts.
/etc/nsswitch.conf is same as other servers.
passwd: files ldap
group: files ldap
hosts: files [NOTFOUND=continue] dns ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: ldap [NOTFOUND=return] files
netgroup: files ldap
automount: files ldap
services: files ldap
/etc/pam.conf is same as other servers except debug statement on one line.
login auth sufficient /usr/lib/security/libpam_ldap.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_ldap.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_ldap.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_ldap.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_ldap.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth sufficient /usr/lib/security/libpam_ldap.1
OTHER auth required /usr/lib/security/libpam_unix.1 try_first_pass
login account required /usr/lib/security/libpam_authz.1
login account sufficient /usr/lib/security/libpam_ldap.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_authz.1
su account sufficient /usr/lib/security/libpam_ldap.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_authz.1
dtlogin account sufficient /usr/lib/security/libpam_ldap.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_authz.1
dtaction account sufficient /usr/lib/security/libpam_ldap.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_authz.1
ftp account sufficient /usr/lib/security/libpam_ldap.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_authz.1
OTHER account sufficient /usr/lib/security/libpam_ldap.1
OTHER account required /usr/lib/security/libpam_unix.1
login session required /usr/lib/security/libpam_ldap.1 debug
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_ldap.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session required /usr/lib/security/libpam_ldap.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_ldap.1
OTHER session required /usr/lib/security/libpam_unix.1
login password sufficient /usr/lib/security/libpam_ldap.1
login password required /usr/lib/security/libpam_unix.1 try_first_pass
passwd password sufficient /usr/lib/security/libpam_ldap.1
passwd password required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin password sufficient /usr/lib/security/libpam_ldap.1
dtlogin password required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction password sufficient /usr/lib/security/libpam_ldap.1
dtaction password required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER password sufficient /usr/lib/security/libpam_ldap.1
OTHER password required /usr/lib/security/libpam_unix.1 try_first_pass
sshd_config has UsePAM yes
When I switch to user and then try to su - ldapuser I get:
The password is not expired. But server thinks it is.
#su - ldapuser
$ su - ldapuser
Last successful login for ldapuser: Fri Feb 10 13:26:19 CST6CDT 2012
Last unsuccessful login for ldapuser: Fri Feb 10 13:15:53 CST6CDT 2012
Your password has expired.
In the syslog.log I get for this su - ldapuser session:
su: pam_acct_mgmt: error Permission denied
su: pam_acct_mgmt: error Get new authentication token
su: pam_acct_mgmt returned 7
For remote ssh to this server as ldapuser I get:
sshd: error: PAM: Permission denied for ldapuser from host1
Why does PAM or ldap deamon or ssh think the password is expired and how do you reset that account on that one server if its LDAP bound and trusted? modprpw -k is for local accounts resets is it not??
02-21-2012 08:55 PM
Re: LDAP user cannot login to one server but can on others.
What does getprpw return for the local account? assuming there's a local unix account as per your reference to /tcb/files/auth/l/ldapuser
/usr/lbin/getprpw -l ldapuser
/usr/lbin/getprdef -m exptm,lftm
Is there a password assigned to the local ux account, if so has it expired... anyhow, I'm betting there is a local ux passwd on the problem box which has expired. If you compare that to the working box, I bet it isn't expired (yet).
Regardless, if you don't want the user to authenticate using a local ux passwd and only ldap then you should have a closer look at your pam.conf to see where in the stack it fails on a 'required' module.