Re: [HanoiLUG] turn off pam ldap?

Mon, 21 Jun 2010 18:22:48 -0700 

 HDD vẫn là của máy đó.
Làm tiếp thế nào hả bác?

Em rất sợ tự lock chính mình nên phải đi hỏi cho chắc

Ở máy bị lỗi:
[r...@vinicorp ~]# grep -H -r "pam_ldap.so" /etc/pam.d/*
/etc/pam.d/system-auth:auth        sufficient    pam_ldap.so use_first_pass
/etc/pam.d/system-auth:account [default=bad success=ok user_unknown=ignore] pam_ldap.so 
/etc/pam.d/system-auth:password    sufficient    pam_ldap.so use_authtok
/etc/pam.d/system-auth:session     optional      pam_ldap.so
/etc/pam.d/system-auth-ac:auth sufficient pam_ldap.so use_first_pass /etc/pam.d/system-auth-ac:account [default=bad success=ok user_unknown=ignore] pam_ldap.so 
/etc/pam.d/system-auth-ac:password    sufficient    pam_ldap.so use_authtok
/etc/pam.d/system-auth-ac:session     optional      pam_ldap.so

[r...@vinicorp ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok 
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session     required      pam_unix.so
session     optional      pam_ldap.so
[r...@vinicorp ~]# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok 
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session     required      pam_unix.so
session     optional      pam_ldap.so

Ở một máy không bị vấn đề này:

[r...@www2 ~]# cd /etc/pam.d
[r...@www2 pam.d]# grep -H -r "pam_ldap.so" /etc/pam.d/*
[r...@www2 pam.d]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok 
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session     required      pam_unix.so
[r...@www2 pam.d]# cat /etc/pam.d/system-auth-ac
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok 
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid 
session     required      pam_unix.so
[r...@www2 pam.d]#

(2010/06/22 3:36), Huan Truong wrote:

Có vẻ như bác đã tháo ổ cứng ra một máy khác để lắp vào.

Try:

$ grep -H -r "pam_ldap.so" /media/ext_root_drive/etc/pam.d

(Chac chan cai lenh load module pam_ldap.so do no se o pam.d)

/etc/pam.d/sshd maybe?




On Mon, Jun 21, 2010 at 2:22 AM, Nguyen Vu Hung (VNC)
<vuh...@vinicorp.com.vn>  wrote:

Chào các bác,

Sau một hồi thử nghiệm ldap theo hướng dẫn ở đây:

http://www.linuxtopia.org/online_books/centos_linux_guides/centos_linux_reference_guide/s1-ldap-quickstart.html

Em bị lỗi: Không thể ssh được vào CentOS 5.4 nữa

Bây giờ làm sao để turn off ldap để có thể ssh hay physically login được?

tail -f /var/log/secure:

Jun 21 14:11:56 vinicorp sshd[3873]: PAM unable to
dlopen(/lib/security/pam_ldap.so)
Jun 21 14:11:56 vinicorp sshd[3873]: PAM [error: /lib/security/pam_ldap.so:
cannot open shared object file: No such file or directory]
Jun 21 14:11:56 vinicorp sshd[3873]: PAM adding faulty module:
/lib/security/pam_ldap.so
Jun 21 14:11:58 vinicorp sshd[3873]: Failed password for vuhung from
127.0.0.1 port 45565 ssh2
Jun 21 07:11:58 vinicorp sshd[3874]: fatal: Access denied for user vuhung by
PAM account configuration

[r...@vinicorp pam.d]# ssh -v vuh...@localhost
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to localhost [127.0.0.1] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3
debug1: match: OpenSSH_4.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is 5f:93:1b:04:0d:95:8f:98:46:b6:c6:7d:da:52:57:2f.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,gssapi-with-mic,password
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Unspecified GSS failure.  Minor code may provide more information
No credentials cache found

debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: password
vuh...@localhost's password:
Connection closed by 127.0.0.1

Em không rõ /etc/pam.d/login có liên quan không?

[r...@vinicorp pam.d]# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
pam_securetty.so
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    include      system-auth
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in
the user context
session    required     pam_selinux.so open
session    optional     pam_keyinit.so force revoke




--
**********************************************************************

Viet Nhat General Joint Stock Company (Vinicorp)

Add:  3F, 92 Hoang Ngan - Trung Hoa - Cau Giay - Hanoi

Tel :(+84)-4-3556-3607 Fax :(+84)-4-3556-3608

Nguyen Vu Hung

Email: vuh...@vinicorp.com.vn Mobile: (+84)-167-252-5834

***********************************************************************


_______________________________________________
POST RULES : http://wiki.hanoilug.org/hanoilug:mailing_list_guidelines
_______________________________________________
HanoiLUG mailing lists: http://lists.hanoilug.org/
HanoiLUG wiki: http://wiki.hanoilug.org/
HanoiLUG blog: http://blog.hanoilug.org/







--
**********************************************************************

Viet Nhat General Joint Stock Company (Vinicorp)

Add:  3F, 92 Hoang Ngan - Trung Hoa - Cau Giay - Hanoi

Tel :(+84)-4-3556-3607 Fax :(+84)-4-3556-3608

Nguyen Vu Hung

Email: vuh...@vinicorp.com.vn Mobile: (+84)-167-252-5834

***********************************************************************


_______________________________________________
POST RULES : http://wiki.hanoilug.org/hanoilug:mailing_list_guidelines
_______________________________________________
HanoiLUG mailing lists: http://lists.hanoilug.org/
HanoiLUG wiki: http://wiki.hanoilug.org/
HanoiLUG blog: http://blog.hanoilug.org/

Trả lời cho