LDAP pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd

Jonas

Zdravicko,
snazim si rozchodit LDAP na Centos 7. Zatim bez Kerbera :] Bohuzel se nemuzu pohnout z hlasky na strane klienta, kterou dostavam, kdyz se snazi uzivatel prihlasit

Kód: [Vybrat]
pam_unix(passwd:chauthtok): user "test" does not exist in /etc/passwd

nsswitch
Kód: [Vybrat]
passwd:     files ldap
shadow:     files ldap
group:      files ldap


"/etc/openldap/ldap.conf"
Kód: [Vybrat]
URI ldap://10.0.0.224/
BASE ou=users,dc=test,dc=com







Verze
Kód: [Vybrat]
$OpenLDAP: slapd 2.4.40 (Nov 19 2015 21:55:20) $

authconfig
Kód: [Vybrat]
aching is disabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap://10.0.0.224/"
 LDAP base DN = "ou=users,dc=test,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap range = "16777216-33554431"
nss_sss is enabled by default
nss_wins is disabled
nss_mdns4_minimal is disabled
DNS preference over NSS or WINS is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is sha512
pam_krb5 is disabled
 krb5 realm = ""
 krb5 realm via dns is disabled
 krb5 kdc = ""
 krb5 kdc via dns is disabled
 krb5 admin server = ""
pam_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap://10.0.0.224/"
 LDAP base DN = "ou=users,dc=test,dc=com"
 LDAP schema = "rfc2307"
pam_pkcs11 is disabled
 use only smartcard for login is disabled
 smartcard module = ""
 smartcard removal action = ""
pam_fprintd is disabled
pam_ecryptfs is disabled
pam_winbind is disabled
 SMB workgroup = ""
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_sss is disabled by default
 credential caching in SSSD is enabled
 SSSD use instead of legacy services if possible is enabled
IPAv2 is disabled
IPAv2 domain was not joined
 IPAv2 server = ""
 IPAv2 realm = ""
 IPAv2 domain = ""
pam_pwquality is enabled (try_first_pass local_users_only retry=3 authtok_type=)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir or pam_oddjob_mkhomedir is enabled (umask=0077)
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled


ldapsearch zobrazi uzivatele a je pod spravnou ou










Sten

Používá ten uživatel schéma RFC 2307? Jaký dotaz přes ldapsearch funguje? Vypíše se ten uživatel po getent passwd test?

Jonas

Pro vytvoreni sem pouzil tenhle ldif

Kód: [Vybrat]
dn: uid=test, ou=users,dc=test,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: test
uid: test
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0






ldapsearch -x -W -D "cn=admin,dc=test,dc=com" -b "dc=test,dc=com"


Kód: [Vybrat]
# test, users, test.com
dn: uid=test,ou=users,dc=test,dc=com
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: test
uid: test
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/test
loginShell: /bin/bash
gecos: test
shadowMax: 0
shadowWarning: 0
userPassword:: e1NTSEF9WWZnMncxVkIvL2tERStCSWVIUnBJUU10Nm5ndy9UZms=
shadowLastChange: 16842


getent


Kód: [Vybrat]
test:x:16859:100:test:/home/test:/bin/bash

Sten

Tak LDAP spojení z PAMu funguje, takže je nejspíš chybné nastavení v /etc/pam.d. Zkontrolujte, že ve všech common-* je pam_ldap, a v /etc/pam.d/common-auth nechybí u pam_unix parametr default=ignore (výchozí je default=bad, což při neexistenci lokálního uživatele zamítne přihlášení).

Sten

Typicky by v /etc/pam.d/common-auth mělo na začátku být něco jako:

Kód: [Vybrat]
# Nejprve zkusí lokální uživatele
# success=n přeskočí n následujících pluginů, pokud tento uspěje
# default=ignore znamená, že pokud neuspěje, tak se to ignoruje a zkusí se další plugin
auth    [success=2 default=ignore]      pam_unix.so nullok_secure
# Potom LDAP
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
# A když ani jedno neuspěje, tak přístup zamítnut
auth    requisite                       pam_deny.so


ByCzech

Nevím jak v CentOS, ale konfigurece LDAP server pro PAM je v Debianu tuším jinde než konfigurace LDAP klienta. Jsou prostě 2 konfiguráky, jeden pro PAM a jeden pro běžné LDAP utility jako je ldapsearch. Není to stejný případ?

Jonas

V nasledujicich souborech je vlozen ldap modul

Kód: [Vybrat]
fingerprint-auth
fingerprint-auth-ac
password-auth
password-auth-ac
smartcard-auth
smartcard-auth-ac
su
system-auth
system-auth-ac



Kód: [Vybrat]
fingerprint-auth:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
fingerprint-auth:session     optional      pam_ldap.so
fingerprint-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
fingerprint-auth-ac:session     optional      pam_ldap.so
password-auth:auth          sufficient    pam_ldap.so
password-auth:auth        sufficient    pam_ldap.so use_first_pass
password-auth:account     sufficient      pam_ldap.so
password-auth:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password-auth:password    sufficient    pam_ldap.so
password-auth:password    sufficient    pam_ldap.so
password-auth:session     optional      pam_ldap.so
password-auth-ac:auth       sufficient    pam_ldap.so
password-auth-ac:auth        sufficient    pam_ldap.so use_first_pass
password-auth-ac:account     sufficient           pam_ldap.so
password-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password-auth-ac:password    sufficient    pam_ldap.so
password-auth-ac:password    sufficient    pam_ldap.so
password-auth-ac:session     optional      pam_ldap.so
smartcard-auth:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth:session     optional      pam_ldap.so
smartcard-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth-ac:session     optional      pam_ldap.so
su:auth                 sufficient      pam_ldap.so
system-auth:auth        sufficient    pam_ldap.so use_first_pass
system-auth:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
system-auth:password    sufficient    pam_ldap.so use_authtok
system-auth:session     optional      pam_ldap.so
system-auth-ac:auth        sufficient    pam_ldap.so use_first_pass
system-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
system-auth-ac:password    sufficient    pam_ldap.so use_authtok
system-auth-ac:session     optional      pam_ldap.so

Pam_unix

Kód: [Vybrat]
fingerprint-auth:account     required      pam_unix.so broken_shadow
fingerprint-auth:session     required      pam_unix.so
fingerprint-auth-ac:account     required      pam_unix.so broken_shadow
fingerprint-auth-ac:session     required      pam_unix.so
password-auth:auth        sufficient    pam_unix.so nullok try_first_pass
password-auth:account     required      pam_unix.so broken_shadow
password-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
password-auth:session     required      pam_unix.so
password-auth-ac:auth        sufficient    pam_unix.so nullok try_first_pass
password-auth-ac:account     required      pam_unix.so broken_shadow
password-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass
password-auth-ac:session     required      pam_unix.so
runuser:session         required        pam_unix.so
smartcard-auth:account     required      pam_unix.so broken_shadow
smartcard-auth:session     required      pam_unix.so
smartcard-auth-ac:account     required      pam_unix.so broken_shadow
smartcard-auth-ac:session     required      pam_unix.so
system-auth:auth        sufficient    pam_unix.so likeauth nullok
system-auth:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
system-auth:session     required      pam_unix.so
system-auth-ac:auth        sufficient    pam_unix.so likeauth nullok
system-auth-ac:password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
system-auth-ac:session     required      pam_unix.so


default=bad

Kód: [Vybrat]
fingerprint-auth:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
fingerprint-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
login:auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
password-auth:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
password-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
smartcard-auth-ac:account     [default=bad success=ok user_unknown=ignore] pam_ldap.so

Zmenil sem bad na ignore v password-auth,login a problem pretrvava

Jonas

nema s timhle nikdo zkusenost?