- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- LDAP user cannot login to one server but can on ot...
Categories
Company
Local Language
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Discussions
Discussions
Forums
Discussions
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Community
Resources
Forums
Blogs
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-10-2012 12:29 PM - edited 02-10-2012 12:54 PM
02-10-2012 12:29 PM - edited 02-10-2012 12:54 PM
LDAP user cannot login to one server but can on others.
I have an LDAP user that cannot login to one particular box but can on others. Other LDAP users can login fine.
His password has been reset on LDAP server. I have restarted ssh and ldapclient.
HPUX 11.11
GOLDAPPS11i B.11.11.0912.483 Applications Patches for HP-UX 11i v1, December 2009
J4269AA B.04.17 LDAP-UX Integration
System is setup to use LDAP and trusted local accounts.
/etc/nsswitch.conf is same as other servers.
passwd: files ldap
group: files ldap
hosts: files [NOTFOUND=continue] dns ldap
networks: files ldap
protocols: files ldap
rpc: files ldap
publickey: ldap [NOTFOUND=return] files
netgroup: files ldap
automount: files ldap
aliases: files
services: files ldap
/etc/pam.conf is same as other servers except debug statement on one line.
login auth sufficient /usr/lib/security/libpam_ldap.1
login auth required /usr/lib/security/libpam_unix.1 try_first_pass
su auth sufficient /usr/lib/security/libpam_ldap.1
su auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin auth sufficient /usr/lib/security/libpam_ldap.1
dtlogin auth required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction auth sufficient /usr/lib/security/libpam_ldap.1
dtaction auth required /usr/lib/security/libpam_unix.1 try_first_pass
ftp auth sufficient /usr/lib/security/libpam_ldap.1
ftp auth required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER auth sufficient /usr/lib/security/libpam_ldap.1
OTHER auth required /usr/lib/security/libpam_unix.1 try_first_pass
login account required /usr/lib/security/libpam_authz.1
login account sufficient /usr/lib/security/libpam_ldap.1
login account required /usr/lib/security/libpam_unix.1
su account required /usr/lib/security/libpam_authz.1
su account sufficient /usr/lib/security/libpam_ldap.1
su account required /usr/lib/security/libpam_unix.1
dtlogin account required /usr/lib/security/libpam_authz.1
dtlogin account sufficient /usr/lib/security/libpam_ldap.1
dtlogin account required /usr/lib/security/libpam_unix.1
dtaction account required /usr/lib/security/libpam_authz.1
dtaction account sufficient /usr/lib/security/libpam_ldap.1
dtaction account required /usr/lib/security/libpam_unix.1
ftp account required /usr/lib/security/libpam_authz.1
ftp account sufficient /usr/lib/security/libpam_ldap.1
ftp account required /usr/lib/security/libpam_unix.1
OTHER account required /usr/lib/security/libpam_authz.1
OTHER account sufficient /usr/lib/security/libpam_ldap.1
OTHER account required /usr/lib/security/libpam_unix.1
login session required /usr/lib/security/libpam_ldap.1 debug
login session required /usr/lib/security/libpam_unix.1
dtlogin session required /usr/lib/security/libpam_ldap.1
dtlogin session required /usr/lib/security/libpam_unix.1
dtaction session required /usr/lib/security/libpam_ldap.1
dtaction session required /usr/lib/security/libpam_unix.1
OTHER session required /usr/lib/security/libpam_ldap.1
OTHER session required /usr/lib/security/libpam_unix.1
login password sufficient /usr/lib/security/libpam_ldap.1
login password required /usr/lib/security/libpam_unix.1 try_first_pass
passwd password sufficient /usr/lib/security/libpam_ldap.1
passwd password required /usr/lib/security/libpam_unix.1 try_first_pass
dtlogin password sufficient /usr/lib/security/libpam_ldap.1
dtlogin password required /usr/lib/security/libpam_unix.1 try_first_pass
dtaction password sufficient /usr/lib/security/libpam_ldap.1
dtaction password required /usr/lib/security/libpam_unix.1 try_first_pass
OTHER password sufficient /usr/lib/security/libpam_ldap.1
OTHER password required /usr/lib/security/libpam_unix.1 try_first_pass
sshd_config has UsePAM yes
When I switch to user and then try to su - ldapuser I get:
The password is not expired. But server thinks it is.
#su - ldapuser
$ su - ldapuser
Password:
Last successful login for ldapuser: Fri Feb 10 13:26:19 CST6CDT 2012
Last unsuccessful login for ldapuser: Fri Feb 10 13:15:53 CST6CDT 2012
Your password has expired.
su: Sorry
In the syslog.log I get for this su - ldapuser session:
su: pam_acct_mgmt: error Permission denied
su: pam_acct_mgmt: error Get new authentication token
su: pam_acct_mgmt returned 7
For remote ssh to this server as ldapuser I get:
sshd[11226]: error: PAM: Permission denied for ldapuser from host1
/tcb/files/auth/l/ldapuser
ldapuser:u_name=ldapuser:u_id#8036:\
:u_pwd=*:\
:u_auditid#100:\
:u_auditflag#0:\
:u_suclog#1328901979:u_unsuclog#1328901989:u_numunsuclog#1:u_lock@:\
:chkent:
Why does PAM or ldap deamon or ssh think the password is expired and how do you reset that account on that one server if its LDAP bound and trusted? modprpw -k is for local accounts resets is it not??
- Tags:
- LDAP
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-21-2012 08:55 PM
02-21-2012 08:55 PM
Re: LDAP user cannot login to one server but can on others.
What does getprpw return for the local account? assuming there's a local unix account as per your reference to /tcb/files/auth/l/ldapuser
/usr/lbin/getprpw -l ldapuser
/usr/lbin/getprdef -m exptm,lftm
Is there a password assigned to the local ux account, if so has it expired... anyhow, I'm betting there is a local ux passwd on the problem box which has expired. If you compare that to the working box, I bet it isn't expired (yet).
Regardless, if you don't want the user to authenticate using a local ux passwd and only ldap then you should have a closer look at your pam.conf to see where in the stack it fails on a 'required' module.
good luck
-denver
- Tags:
- getprpw