HPE Community
Operating System - Linux
1752785 Members
6075 Online
108789 Solutions
New Discussion юеВ

Re: LDAP User could not access system

 
SOLVED
Go to solution
Gary L
Super Advisor

тАО10-26-2007 02:46 AM

тАО10-26-2007 02:46 AM

LDAP User could not access system

Hi

We have two RedHat ES4U4 server, server2 is LDAP server, server1 use LDAP Brower Edit to access LDAP server and add/remove users.

But, currently, we met a problem: lots of LDAP users could not access server1.

1. I have tried to reset their password from LDAP sever via "lbe" on server1, but it doen't work.

2. I did the below command as root user, but got this error.
# su u367
su: incorrect password
correct users I could did # su comand

How to fix this kind of problem?
Any answers will be very appreciate

0 Kudos
Reply
17 REPLIES 17
Gary L
Super Advisor

тАО10-26-2007 02:47 AM

тАО10-26-2007 02:47 AM

Re: LDAP User could not access system

Sorry, two RH ES3 update 4 server.

server1 has set use LDAP and LDAP server is server2.
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО10-26-2007 03:48 AM

тАО10-26-2007 03:48 AM

Solution

Re: LDAP User could not access system

what is the output of:

id u367
getent passwd |grep u367

Are these users in the same organizational unit?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

тАО10-26-2007 03:56 AM

тАО10-26-2007 03:56 AM

Re: LDAP User could not access system

Hi Ivan

Thank you very much for your fast reply, below are the output:

#id j367
uid=10367(j367) gid=100(users) groups=100(users)

# getent passwd |grep j367
j367t:x:20011:100::/home/j367t:/bin/ksh
j367:x:10367:100:j367:/home/j367:/bin/ksh

There users are in the same unit.


0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО10-26-2007 04:18 AM

тАО10-26-2007 04:18 AM

Re: LDAP User could not access system

Can you please post what you receive when you do:

su - u367
ssh -l u367 localhost

Right after that:
tail /var/log/secure


Check the output of:

finger u367

Check the permissions of the users's home directory.

I would like to see the following files:

more /etc/pam.d/su
more /etc/pam.d/system-auth
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

тАО10-26-2007 05:57 AM

тАО10-26-2007 05:57 AM

Re: LDAP User could not access system

Thanks Ivan

I could not show the output right now, because probably, my boss solved this problem. he just ran command "faillog -p / -r", all failure LDAP user worked.

I have no idea why

Could you please explain this?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

тАО10-26-2007 06:00 AM

тАО10-26-2007 06:00 AM

Re: LDAP User could not access system

The "faillog -r" maybe was the solution. This resets the failure count. Probably, the system has configure pam_tally, to deny the login if more than "N" authentication failures was intented. Resetting the login failure count will solve the problem.

You will see pam_tally relates messages to /var/log/messages denying the login.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

тАО10-26-2007 06:04 AM

тАО10-26-2007 06:04 AM

Re: LDAP User could not access system

Thanks Ivan

Have a good weekend.
0 Kudos
Reply
skt_skt
Honored Contributor

тАО10-30-2007 07:17 AM

тАО10-30-2007 07:17 AM

Re: LDAP User could not access system

yes; failog fixed your problem


Following entry/file limits the account to be locked/disabled after five login failure.

# grep LOGIN_RETRIES /etc/login.defs
LOGIN_RETRIES 5

# pam_tally --user kumarts
User kumarts (19806) has 10

# faillog -r kumarts

# pam_tally --user kumarts
User kumarts (19806) has 0

Once it is reset to zero ; you would be able to login.


Reply
Gary L
Super Advisor

тАО10-30-2007 07:20 AM

тАО10-30-2007 07:20 AM

Re: LDAP User could not access system

Hi Santhosh

Thank you very much for your suggestions

Have a great day

-Gary
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.