HPE Community
Operating System - HP-UX
1827294 Members
3414 Online
109717 Solutions
New Discussion

LDAP authentication PAM problems

 
Ryan Gro
Advisor

‎03-26-2008 08:35 AM

‎03-26-2008 08:35 AM

LDAP authentication PAM problems

Hi,
Thank you for all the very useful information I've already found on this forum. It's helped an awful lot.

I'm trying to setup my HP-UX B.11.23 ia64 server to LDAP authenticate to a Windows 2003 Active Directory Server through SSH and I've reached a snag.
I can login an AD user using Telnet, but SSH doesn't work. Here's what the syslog says:
Mar 26 09:12:02 hpindev sshd[3934]: Pam Creds are not available

Mar 26 09:24:18 hpindev sshd[4456]: error: PAM: Permission denied for test04 from xxxxx
Mar 26 09:24:32 hpindev sshd[4456]: error: PAM: Success for test04 from xxxxx
Mar 26 09:24:32 hpindev sshd[4456]: Failed keyboard-interactive/pam for test04 from 10.15.8.42 port 2099 ssh2
Mar 26 09:24:40 hpindev sshd[4456]: error: PAM: Authentication failed for test04 from xxxxx
Mar 26 09:24:40 hpindev sshd[4456]: Failed keyboard-interactive/pam for test04 from 10.15.8.42 port 2099 ssh2
Mar 26 09:24:44 hpindev sshd[4456]: error: PAM: Success for test04 from xxxxx

I have the most recent versions of PAM-Kerberos(V1.24), KRB5-Client(V1.0), LDAP-UX Client.

It's most likely an issue with my pam.conf file I'm guessing so I'll post that too.

My pam.conf file:
#
# Authentication management
#
login auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
login auth required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
su auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
su auth required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
dtlogin auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
dtlogin auth required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
dtaction auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
dtaction auth required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
ftp auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
ftp auth required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
OTHER auth sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
OTHER auth required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass

#
# Account management
#
login account sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
login account required /usr/lib/security/$ISA/libpam_unix.so.1
su account sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
su account required /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin account sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
dtlogin account required /usr/lib/security/$ISA/libpam_unix.so.1
dtaction account sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
dtaction account required /usr/lib/security/$ISA/libpam_unix.so.1
ftp account sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
ftp account required /usr/lib/security/$ISA/libpam_unix.so.1
sshd account required /usr/lib/security/$ISA/libpam_authz.so.1
sshd account sufficient /usr/lib/security/$ISA/libpam_unix.so.1
sshd account required /usr/lib/security/$ISA/libpam_krb5.so.1
OTHER account sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
OTHER account required /usr/lib/security/$ISA/libpam_unix.so.1
#
# Session management
#
login session required /usr/lib/security/$ISA/libpam_krb5.so.1
login session required /usr/lib/security/$ISA/libpam_unix.so.1
dtlogin session required /usr/lib/security/$ISA/libpam_krb5.so.1
dtlogin session required /usr/lib/security/$ISA/libpam_unix.so.1
dtaction session required /usr/lib/security/$ISA/libpam_krb5.so.1
dtaction session required /usr/lib/security/$ISA/libpam_unix.so.1
OTHER session required /usr/lib/security/$ISA/libpam_krb5.so.1
OTHER session required /usr/lib/security/$ISA/libpam_unix.so.1
#
# Password management
#
login password sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
login password required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
passwd password sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
passwd password required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
dtlogin password sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
dtlogin password required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
dtaction password sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
dtaction password required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass
OTHER password sufficient /usr/lib/security/$ISA/libpam_krb5.so.1
OTHER password required /usr/lib/security/$ISA/libpam_unix.so.1 use_first_pass

It's only SSH that doesn't work. Telnet works magnificently. I have "UsePAM yes" in the sshd.conf file as well.
I hope you can help me. If you need more information I can provide it as well.

Thanks in advance.
0 Kudos
3 REPLIES 3
Ryan Gro
Advisor

‎03-26-2008 09:22 AM

‎03-26-2008 09:22 AM

Re: LDAP authentication PAM problems

This may be a stupid question, but I found in some HP documentation that a "certificate" needs to be installed on the HP-UX client.
/etc/opt/ldapux/cert8.db it's called.
I gives instructions as to how to download it on the hpux client using Netscape or firefox, but I only have the command line console so I can't use either.
How do I install the certificate on the hp server?
0 Kudos
Ryan Gro
Advisor

‎03-26-2008 10:00 AM

‎03-26-2008 10:00 AM

Re: LDAP authentication PAM problems

Haha Ok neverming that last post. Boy do I feel dumb. I mixed up SSH and SSL...wow was that bad. They're not even close to similar. sorry about that I don't see a delete message option.
0 Kudos
Ryan Gro
Advisor

‎03-27-2008 02:01 PM

‎03-27-2008 02:01 PM

Re: LDAP authentication PAM problems

Ok I solved the above problem. I simply hadn't configured the /etc/opt/ldapux/pam_authz.policy file. Works now.

But now I have a different problem. All the ldap works. I can authenticate to Active Directory, everything works.
However, now my passwd tool doesn't work for local users at all. Even root can't change the password of any users.
First of all it prompts root for the old password of the users (which it's not supposed to do), and no matter what it says:
"Changing password for myuser"
"Sorry."

/var/adm/syslog/syslog.log says:
Mar 27 14:52:11 hpindev syslog: Client not found in Kerberos database while getting initial ticket

Or:

Mar 27 14:55:04 hpindev syslog: [Authentication failed] old token not obtained

First error is from trying to change the root password and putting the correct password in.
Second error is from putting no password for the "myuser" user who I just made and gave no password.

Thanks in advance for any insight,

Ryan

PS. Sorry for the mixup, I reopened this thread and tried to post this but it opened another new thread for some reason...sorry.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.