HPE Community
Operating System - HP-UX
1752295 Members
4821 Online
108786 Solutions
New Discussion

LDAP user cannot login to one server but can on others.

 
jerrym
Trusted Contributor

‎02-10-2012 12:29 PM - edited ‎02-10-2012 12:54 PM

‎02-10-2012 12:29 PM - edited ‎02-10-2012 12:54 PM

LDAP user cannot login to one server but can on others.

I have an LDAP user that cannot login to one particular box but can on others. Other LDAP users can login fine.

His password has been reset on LDAP server.  I have restarted ssh and ldapclient.

 

   HPUX 11.11

  GOLDAPPS11i                           B.11.11.0912.483 Applications Patches for HP-UX 11i v1, December 2009
  J4269AA                               B.04.17        LDAP-UX Integration

 

System is setup to use LDAP and trusted local accounts.

 

/etc/nsswitch.conf is same as other servers.

 

passwd:       files ldap
group:        files ldap
hosts:        files [NOTFOUND=continue] dns ldap
networks:     files ldap
protocols:    files ldap
rpc:          files ldap
publickey:    ldap [NOTFOUND=return] files
netgroup:     files ldap
automount:    files ldap
aliases:      files
services:     files ldap

 

 

/etc/pam.conf is same as other servers except debug statement on one line.

 

login    auth sufficient        /usr/lib/security/libpam_ldap.1
login    auth required  /usr/lib/security/libpam_unix.1 try_first_pass
su       auth sufficient        /usr/lib/security/libpam_ldap.1
su       auth required  /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin  auth sufficient        /usr/lib/security/libpam_ldap.1
dtlogin  auth required  /usr/lib/security/libpam_unix.1 try_first_pass
dtaction         auth sufficient        /usr/lib/security/libpam_ldap.1
dtaction         auth required  /usr/lib/security/libpam_unix.1 try_first_pass
ftp      auth sufficient        /usr/lib/security/libpam_ldap.1
ftp      auth required  /usr/lib/security/libpam_unix.1 try_first_pass
OTHER    auth sufficient        /usr/lib/security/libpam_ldap.1
OTHER    auth required  /usr/lib/security/libpam_unix.1 try_first_pass
login    account required       /usr/lib/security/libpam_authz.1
login    account sufficient     /usr/lib/security/libpam_ldap.1
login    account required       /usr/lib/security/libpam_unix.1
su       account required       /usr/lib/security/libpam_authz.1
su       account sufficient     /usr/lib/security/libpam_ldap.1
su       account required       /usr/lib/security/libpam_unix.1
dtlogin  account required       /usr/lib/security/libpam_authz.1
dtlogin  account sufficient     /usr/lib/security/libpam_ldap.1
dtlogin  account required       /usr/lib/security/libpam_unix.1
dtaction account required       /usr/lib/security/libpam_authz.1
dtaction         account sufficient     /usr/lib/security/libpam_ldap.1
dtaction         account required       /usr/lib/security/libpam_unix.1
ftp      account required       /usr/lib/security/libpam_authz.1
ftp      account sufficient     /usr/lib/security/libpam_ldap.1
ftp      account required       /usr/lib/security/libpam_unix.1
OTHER    account required       /usr/lib/security/libpam_authz.1
OTHER    account sufficient     /usr/lib/security/libpam_ldap.1
OTHER    account required       /usr/lib/security/libpam_unix.1
login    session required       /usr/lib/security/libpam_ldap.1 debug
login    session required       /usr/lib/security/libpam_unix.1
dtlogin  session required       /usr/lib/security/libpam_ldap.1
dtlogin  session required       /usr/lib/security/libpam_unix.1
dtaction         session required       /usr/lib/security/libpam_ldap.1
dtaction         session required       /usr/lib/security/libpam_unix.1
OTHER    session required       /usr/lib/security/libpam_ldap.1
OTHER    session required       /usr/lib/security/libpam_unix.1
login    password sufficient    /usr/lib/security/libpam_ldap.1
login    password required      /usr/lib/security/libpam_unix.1 try_first_pass
passwd   password sufficient    /usr/lib/security/libpam_ldap.1
passwd   password required      /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin  password sufficient    /usr/lib/security/libpam_ldap.1
dtlogin  password required      /usr/lib/security/libpam_unix.1 try_first_pass
dtaction         password sufficient    /usr/lib/security/libpam_ldap.1
dtaction         password required      /usr/lib/security/libpam_unix.1 try_first_pass
OTHER    password sufficient    /usr/lib/security/libpam_ldap.1
OTHER    password required      /usr/lib/security/libpam_unix.1 try_first_pass

 

 sshd_config has   UsePAM yes

 

When I switch to user and then try to su - ldapuser  I get:

The password is not expired. But server thinks it is.

 

#su - ldapuser

$ su - ldapuser
Password:
Last   successful login for ldapuser: Fri Feb 10 13:26:19 CST6CDT 2012
Last unsuccessful login for ldapuser: Fri Feb 10 13:15:53 CST6CDT 2012
Your password has expired.
su: Sorry

 

In the syslog.log I get for this su - ldapuser session:

 

su: pam_acct_mgmt: error Permission denied
su: pam_acct_mgmt: error Get new authentication token

su: pam_acct_mgmt returned 7

 

For remote ssh to this server as ldapuser I get:

 

sshd[11226]: error: PAM: Permission denied for ldapuser from host1

 

 

 

/tcb/files/auth/l/ldapuser

 

ldapuser:u_name=ldapuser:u_id#8036:\
        :u_pwd=*:\
        :u_auditid#100:\
        :u_auditflag#0:\
        :u_suclog#1328901979:u_unsuclog#1328901989:u_numunsuclog#1:u_lock@:\
        :chkent:

 

 

Why does PAM or ldap deamon or ssh  think the password is expired and how do you reset that account on that one server if its LDAP bound and trusted?  modprpw -k is for local accounts resets is it not??

 

 

 

 

 

 

0 Kudos
Reply
1 REPLY 1
Denver Osborn
Honored Contributor

‎02-21-2012 08:55 PM

‎02-21-2012 08:55 PM

Re: LDAP user cannot login to one server but can on others.

What does getprpw return for the local account?  assuming there's a local unix account as per your reference to /tcb/files/auth/l/ldapuser

 

/usr/lbin/getprpw -l ldapuser

/usr/lbin/getprdef -m exptm,lftm

 

Is there a password assigned to the local ux account, if so has it expired...  anyhow, I'm betting there is a local ux passwd on the problem box which has expired.  If you compare that to the working box, I bet it isn't expired (yet).

 

Regardless, if you don't want the user to authenticate using a local ux passwd and only ldap then you should have a closer look at your pam.conf to see where in the stack it fails on a 'required' module. 

 

good luck

-denver

0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.