Hi everyone, I have several redhat 4 and 5 machines authenticating successfully against our ldap servers. I used authconfig to configure the clients and everything works great, ssh, vsftp, etc. However, for some reason, I always see a log entry similar to the following in /var/log/secure, even though the login works; Apr 10 08:34:27 server1 sshd[30937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=137.21.80.195 user=user1 Here is the contents of /etc/nsswitch.conf cat /etc/nsswitch.conf | grep -v \# passwd: files ldap shadow: files ldap group: files ldap hosts: files dns bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files ldap rpc: files services: files ldap netgroup: files ldap publickey: nisplus automount: files ldap aliases: files nisplus Any ideas? Thanks for your help. Aaron
Stephen John Smoogen
2008-Apr-10 17:21 UTC
Re: [Fedora-directory-users] warnings in /var/log/secure
On Thu, Apr 10, 2008 at 6:40 AM, Aaron Bliss <abliss@brockport.edu> wrote:> Hi everyone, > I have several redhat 4 and 5 machines authenticating successfully against > our ldap servers. I used authconfig to configure the clients and everything > works great, ssh, vsftp, etc. However, for some reason, I always see a log > entry similar to the following in /var/log/secure, even though the login > works; > Apr 10 08:34:27 server1 sshd[30937]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=137.21.80.195 > user=user1 > > Here is the contents of /etc/nsswitch.conf > cat /etc/nsswitch.conf | grep -v \# > > passwd: files ldap > shadow: files ldap > group: files ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc: files > services: files ldap > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus >I think we will need the contents of /etc/pam.d/system-auth for anyone to help . -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"
Aaron Bliss
2008-Apr-10 18:34 UTC
Re: [Fedora-directory-users] warnings in /var/log/secure
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Thanks for getting back to me. Here is
/etc/pam.d/system-auth<br>
#%PAM-1.0<br>
# This file is auto-generated.<br>
# User changes will be destroyed the next time authconfig is run.<br>
auth
required pam_env.so<br>
auth
sufficient pam_unix.so nullok
try_first_pass<br>
auth
requisite pam_succeed_if.so uid
>= 100 quiet<br>
auth
sufficient pam_ldap.so use_first_pass<br>
auth
required pam_deny.so<br>
<br>
account
required pam_unix.so
broken_shadow<br>
account
sufficient pam_localuser.so<br>
account
sufficient pam_succeed_if.so uid < 500
quiet<br>
account [default=bad success=ok
user_unknown=ignore] pam_ldap.so<br>
account
required
pam_permit.so<br>
<br>
password
requisite pam_cracklib.so try_first_pass
retry=3<br>
password sufficient
pam_unix.so md5 shadow nullok try_first_pass
use_authtok<br>
password sufficient
pam_ldap.so use_authtok<br>
password
required pam_deny.so<br>
<br>
session
required pam_mkhomedir.so
skel=/etc/skel/ umask=0077<br>
session
optional pam_keyinit.so
revoke<br>
session
required
pam_limits.so<br>
session [success=1 default=ignore]
pam_succeed_if.so service in
crond quiet use_uid<br>
session
required pam_unix.so<br>
session
optional pam_ldap.so<br>
<br>
<br>
Stephen John Smoogen wrote:
<blockquote
cite="mid:80d7e4090804101021o5f817c4em72535c9725da278e@mail.gmail.com"
type="cite">
<pre wrap="">On Thu, Apr 10, 2008 at 6:40 AM, Aaron Bliss
<a class="moz-txt-link-rfc2396E"
href="mailto:abliss@brockport.edu"><abliss@brockport.edu></a>
wrote:
</pre>
<blockquote type="cite">
<pre wrap="">Hi everyone,
I have several redhat 4 and 5 machines authenticating successfully against
our ldap servers. I used authconfig to configure the clients and everything
works great, ssh, vsftp, etc. However, for some reason, I always see a log
entry similar to the following in /var/log/secure, even though the login
works;
Apr 10 08:34:27 server1 sshd[30937]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=137.21.80.195
user=user1
Here is the contents of /etc/nsswitch.conf
cat /etc/nsswitch.conf | grep -v \#
passwd: files ldap
shadow: files ldap
group: files ldap
hosts: files dns
bootparams: nisplus [NOTFOUND=return] files
ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap
netgroup: files ldap
publickey: nisplus
automount: files ldap
aliases: files nisplus
</pre>
</blockquote>
<pre wrap=""><!---->
I think we will need the contents of /etc/pam.d/system-auth for anyone to help .
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
Aaron Bliss
Systems Administrator
SUNY Brockport
(585) 395-2417</pre>
</body>
</html>
Stephen John Smoogen
2008-Apr-10 22:49 UTC
Re: [Fedora-directory-users] warnings in /var/log/secure
On Thu, Apr 10, 2008 at 12:34 PM, Aaron Bliss <abliss@brockport.edu> wrote:> > Thanks for getting back to me. Here is /etc/pam.d/system-auth > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth sufficient pam_unix.so nullok try_first_passOk I see that we have hand changed the above line to: auth sufficient pam_unix.so likeauth nullok nodelay ..... same lines deleted.> > session required pam_mkhomedir.so skel=/etc/skel/ umask=0077Don''t have the above line Our basic ldap.conf is the following.. I changed the o= and ouegrep -v ''^$|^[[:space:]]*$|^\#'' /etc/ldap.conf base o=ZiaUniversity,c=US uri ldaps://ldap.ziauniversity.edu/ binddn uid=l33tdude,ou=GodsPeeps,o=ZiaUniversity,c=US bindpw XXXXXXXXXXXX timelimit 120 bind_timelimit 10 bind_policy soft idle_timelimit 3600 nss_base_netgroup ou=Dudes,o=University of New Mexico,c=US?one pam_password md5 nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon ssl on tls_cacertdir /etc/openldap/cacerts If you have a ''host ldap.uni.edu'' it may try to do a non SSL connection first and fail and then a SSL one.> > > Stephen John Smoogen wrote: > On Thu, Apr 10, 2008 at 6:40 AM, Aaron Bliss <abliss@brockport.edu> wrote: > > > Hi everyone, > I have several redhat 4 and 5 machines authenticating successfully against > our ldap servers. I used authconfig to configure the clients and everything > works great, ssh, vsftp, etc. However, for some reason, I always see a log > entry similar to the following in /var/log/secure, even though the login > works; > Apr 10 08:34:27 server1 sshd[30937]: pam_unix(sshd:auth): authentication > failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=137.21.80.195 > user=user1 > > Here is the contents of /etc/nsswitch.conf > cat /etc/nsswitch.conf | grep -v \# > > passwd: files ldap > shadow: files ldap > group: files ldap > hosts: files dns > bootparams: nisplus [NOTFOUND=return] files > ethers: files > netmasks: files > networks: files > protocols: files ldap > rpc: files > services: files ldap > netgroup: files ldap > publickey: nisplus > automount: files ldap > aliases: files nisplus > > > I think we will need the contents of /etc/pam.d/system-auth for anyone to > help . > > > > > > -- > Aaron Bliss > Systems Administrator > SUNY Brockport > (585) 395-2417 > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > >-- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"