Operating System - HP-UX
1839243 Members
2303 Online
110137 Solutions
New Discussion

Re: Cannot authenticate local user accounts!

 
Tony Walker_2
Frequent Advisor

Cannot authenticate local user accounts!

Hi Guys,

Here's the situation:

I have an 11i machine which is linked into a SunOne directory server(LDAP) solution. This has been and is working fine. However, I added a local account and found that I cannot login using its details. I've confirmed and re-confirmed the password but each time I login- telnet/ftp/ssh/rlogin I type the correct password and it goes straight to prompting me for my LDAP password! I'm using the following for login (which is the same across all machines)

login auth sufficient /usr/lib/security/libpam_ldap.1 debug
login auth required /usr/lib/security/libpam_unix.1 try_first_pass debug

A debug shows the following:

Aug 25 03:32:58 bskyuat1 login: PAM_LDAP Entering pam_sm_authenticate ...
Aug 25 03:32:58 bskyuat1 login: PAM_LDAP pam_sm_authenticate(login, tonyw), flag
s = 0
Aug 25 03:33:01 bskyuat1 login: PAM_LDAP auth-bind failed!
Aug 25 03:33:01 bskyuat1 login: PAM_LDAP pam_sm_authenticate: set bind status (1
3)
Aug 25 03:33:01 bskyuat1 login: PAM_LDAP 2nd auth_bind returns 13
Aug 25 03:33:01 bskyuat1 login: PAM_LDAP pam_sm_authenticate: returning 13
Aug 25 03:33:01 bskyuat1 login: pam_authenticate: error No account present for u
ser
Aug 25 03:33:01 bskyuat1 login: unix pam_sm_authenticate(login tonyw), flags = 0

Aug 25 03:33:03 bskyuat1 login: pam_authenticate error
Aug 25 03:33:04 bskyuat1 login: exiting with return code 0

I can su - tonyw fine and it seems locally aware of the account but why can't I authenticate!? Recently we had to install Jave 1.3 (from hp site) and there were numerous patches to be installed. I'm hoping to back these out soon but I find it hard to believe that they have caused this problem.

Any insights greatly received.

Regards,

Tony
7 REPLIES 7
Steven E. Protter
Exalted Contributor

Re: Cannot authenticate local user accounts!

Sounds to me like your default configuration is saying LDAP first on authentication.

That may have been done when you were integrating your server into LDAP.

There may be an account on the LDAP server with that user name and your system is going there first for authentication.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Gavin Clarke
Trusted Contributor

Re: Cannot authenticate local user accounts!

I take it this is not something that /etc/nsswitch.conf is doing?

I'll admit my LDAP experience is rather thin.
Tony Walker_2
Frequent Advisor

Re: Cannot authenticate local user accounts!

Stephen,

Yes, all machines are set to authenticate LDAP first as we have very few local accounts. I've verified that the account does not exist in LDAP and I've tried various others - all with the same result.

Tony
Tony Walker_2
Frequent Advisor

Re: Cannot authenticate local user accounts!

Gavin,

No, nsswitch.conf is set for files nis for passwd. This can be seen by the fact that I can su - tonyw locally on the machine.

Cheers
Ermin Borovac
Honored Contributor

Re: Cannot authenticate local user accounts!

Does it work when you switch the order as follows?

login auth sufficient /usr/lib/security/libpam_unix.1 debug
login auth required /usr/lib/security/libpam_ldap.1 try_first_pass debug
Tony Walker_2
Frequent Advisor

Re: Cannot authenticate local user accounts!

No, no luck with a change of lines in the pam.conf :(
Tony Walker_2
Frequent Advisor

Re: Cannot authenticate local user accounts!

In fact, bizzarely - there is a local user logged in from yesterday!!?