HPE Community
Operating System - Linux
1827876 Members
1613 Online
109969 Solutions
New Discussion

LDAP User could not access system

 
SOLVED
Go to solution
Gary L
Super Advisor

‎10-26-2007 02:46 AM

‎10-26-2007 02:46 AM

LDAP User could not access system

Hi

We have two RedHat ES4U4 server, server2 is LDAP server, server1 use LDAP Brower Edit to access LDAP server and add/remove users.

But, currently, we met a problem: lots of LDAP users could not access server1.

1. I have tried to reset their password from LDAP sever via "lbe" on server1, but it doen't work.

2. I did the below command as root user, but got this error.
# su u367
su: incorrect password
correct users I could did # su comand

How to fix this kind of problem?
Any answers will be very appreciate

0 Kudos
Reply
17 REPLIES 17
Gary L
Super Advisor

‎10-26-2007 02:47 AM

‎10-26-2007 02:47 AM

Re: LDAP User could not access system

Sorry, two RH ES3 update 4 server.

server1 has set use LDAP and LDAP server is server2.
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-26-2007 03:48 AM

‎10-26-2007 03:48 AM

Solution

Re: LDAP User could not access system

what is the output of:

id u367
getent passwd |grep u367

Are these users in the same organizational unit?
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

‎10-26-2007 03:56 AM

‎10-26-2007 03:56 AM

Re: LDAP User could not access system

Hi Ivan

Thank you very much for your fast reply, below are the output:

#id j367
uid=10367(j367) gid=100(users) groups=100(users)

# getent passwd |grep j367
j367t:x:20011:100::/home/j367t:/bin/ksh
j367:x:10367:100:j367:/home/j367:/bin/ksh

There users are in the same unit.


0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-26-2007 04:18 AM

‎10-26-2007 04:18 AM

Re: LDAP User could not access system

Can you please post what you receive when you do:

su - u367
ssh -l u367 localhost

Right after that:
tail /var/log/secure


Check the output of:

finger u367

Check the permissions of the users's home directory.

I would like to see the following files:

more /etc/pam.d/su
more /etc/pam.d/system-auth
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

‎10-26-2007 05:57 AM

‎10-26-2007 05:57 AM

Re: LDAP User could not access system

Thanks Ivan

I could not show the output right now, because probably, my boss solved this problem. he just ran command "faillog -p / -r", all failure LDAP user worked.

I have no idea why

Could you please explain this?
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-26-2007 06:00 AM

‎10-26-2007 06:00 AM

Re: LDAP User could not access system

The "faillog -r" maybe was the solution. This resets the failure count. Probably, the system has configure pam_tally, to deny the login if more than "N" authentication failures was intented. Resetting the login failure count will solve the problem.

You will see pam_tally relates messages to /var/log/messages denying the login.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

‎10-26-2007 06:04 AM

‎10-26-2007 06:04 AM

Re: LDAP User could not access system

Thanks Ivan

Have a good weekend.
0 Kudos
Reply
skt_skt
Honored Contributor

‎10-30-2007 07:17 AM

‎10-30-2007 07:17 AM

Re: LDAP User could not access system

yes; failog fixed your problem


Following entry/file limits the account to be locked/disabled after five login failure.

# grep LOGIN_RETRIES /etc/login.defs
LOGIN_RETRIES 5

# pam_tally --user kumarts
User kumarts (19806) has 10

# faillog -r kumarts

# pam_tally --user kumarts
User kumarts (19806) has 0

Once it is reset to zero ; you would be able to login.


Reply
Gary L
Super Advisor

‎10-30-2007 07:20 AM

‎10-30-2007 07:20 AM

Re: LDAP User could not access system

Hi Santhosh

Thank you very much for your suggestions

Have a great day

-Gary
0 Kudos
Reply
skt_skt
Honored Contributor

‎10-30-2007 07:28 AM

‎10-30-2007 07:28 AM

Re: LDAP User could not access system


see this too

# grep account /etc/pam.d/system-auth
account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset
Reply
Gary L
Super Advisor

‎10-30-2007 07:28 AM

‎10-30-2007 07:28 AM

Re: LDAP User could not access system

Normally, when we execute command " failog -m #", How to set the value of max number?
0 Kudos
Reply
Gary L
Super Advisor

‎10-30-2007 07:31 AM

‎10-30-2007 07:31 AM

Re: LDAP User could not access system

In my /etc/login.defs file, no LOGIN_RETRIES setting. Should I set it, value?

and
no entries of account required /lib/security/$ISA/pam_unix.so
account required /lib/security/$ISA/pam_tally.so deny=5 no_magic_root reset in my system-auth file.
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-30-2007 07:35 AM

‎10-30-2007 07:35 AM

Re: LDAP User could not access system

>> How to set the value of max number?

As described in the previous post, the system-auth file specifies the maximum.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

‎10-30-2007 07:40 AM

‎10-30-2007 07:40 AM

Re: LDAP User could not access system

Your mean, If I wanna do the login failure tally, I should add below entry:
account required pam_tally.so deny=5 no_magic_root
in /etc/pam.d/system-auth. "5" is the max faulure attempt value, right? If the user failure five times, the system will block his account or do nothing? If the account be blocked by over the limitation, as the system admin how to help him? faillog -r?
0 Kudos
Reply
Gary L
Super Advisor

‎10-30-2007 07:42 AM

‎10-30-2007 07:42 AM

Re: LDAP User could not access system

Hi Santhosh

What't the means of "reset" in the end of the line ...deny=5 no_magic_root reset

thanks guys
0 Kudos
Reply
Ivan Ferreira
Honored Contributor

‎10-30-2007 07:53 AM

‎10-30-2007 07:53 AM

Re: LDAP User could not access system

For full informatio about pam_tally, please see:

http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/sag-pam_tally.html

And yes, the administrator must reset the counter to enable access to the account (the account is not disabled, it cannot login by PAM restrictions, is different from usermod -L).
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Reply
Gary L
Super Advisor

‎10-30-2007 09:20 AM

‎10-30-2007 09:20 AM

Re: LDAP User could not access system

Thanks a lot Ivan
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.