Your message dated Thu, 30 Dec 2010 22:17:11 +0000
with message-id <[email protected]>
and subject line Bug#604147: fixed in nss-pam-ldapd 0.8.0
has caused the Debian Bug report #604147,
regarding libpam-ldapd: pam authentification fails if the first password is
wrong
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
604147: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=604147
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libpam-ldapd
Version: 0.7.12
Severity: normal
Hi,
I setup several machines with libpam-ldapd. I observed that, if I give the
wrong password the first time it is asked (for ssh connection, sudo, ...)
then I cannot log in even if I give the correct password at the second (and
third) try.
Example:
vdanj...@aya:~$ sudo su
[sudo] password for vdanjean: [WRONG PASS]
Sorry, try again.
[sudo] password for vdanjean: [CORRECT PASS]
sudo: pam_acct_mgmt: 7
Sorry, try again.
[sudo] password for vdanjean: [CORRECT PASS]
sudo: pam_acct_mgmt: 7
Sorry, try again.
sudo: 3 incorrect password attempts
vdanj...@aya:~$
or:
vdanj...@eyak:~$ ssh aya -l cbardel
cbar...@aya's password: [WRONG PASS]
Permission denied, please try again.
cbar...@aya's password: [CORRECT PASS]
Connection closed by 10.77.0.3
vdanj...@eyak:~$
Looking into the logs, it seems I'm refused due to the account pam stack (not
the auth pam stack) when I give the good password. Here are the logs in
/var/log/auth.log for the two previous examples:
[SSH connection]
Nov 20 17:21:31 aya sshd[32348]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=eyak.vpn.danjean.fr user=cbardel
Nov 20 17:21:31 aya sshd[32348]: pam_ldap(sshd:auth): Authentication failure;
user=cbardel
Nov 20 17:21:33 aya sshd[32348]: Failed password for cbardel from 10.77.2.254
port 40461 ssh2
Nov 20 17:21:35 aya sshd[32348]: pam_ldap(sshd:account): ; user=cbardel
Nov 20 17:21:35 aya sshd[32348]: Failed password for cbardel from 10.77.2.254
port 40461 ssh2
[Sudo invocation]
Nov 20 17:22:17 aya sudo: pam_unix(sudo:auth): authentication failure;
logname=vdanjean uid=0 euid=0 tty=/dev/pts/7 ruser=vdanjean rhost=
user=vdanjean
Nov 20 17:22:17 aya sudo: pam_ldap(sudo:auth): Échec d'authentification;
user=vdanjean
Nov 20 17:22:21 aya sudo: pam_ldap(sudo:account): ; user=vdanjean
Nov 20 17:22:21 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ;
PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
Nov 20 17:22:27 aya sudo: pam_ldap(sudo:account): ; user=vdanjean
Nov 20 17:22:27 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ;
PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
Nov 20 17:22:27 aya sudo: vdanjean : 3 incorrect password attempts ; TTY=pts/7
; PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
I do not have these problems for local account (and I log in correctly if I
give the good password at the first try for ldap accounts)
/etc/pam.d/common-auth is (removing comment lines):
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000
use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account is (removing comment lines):
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
Do you know what happens ?
Regards,
Vincent
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-ldapd depends on:
ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii nslcd 0.7.12 Daemon for NSS and PAM lookups usi
libpam-ldapd recommends no packages.
libpam-ldapd suggests no packages.
-- debconf information:
libpam-ldapd/enable_shadow: true
--- End Message ---
--- Begin Message ---
Source: nss-pam-ldapd
Source-Version: 0.8.0
We believe that the bug you reported is fixed in the latest version of
nss-pam-ldapd, which is due to be installed in the Debian FTP archive:
libnss-ldapd_0.8.0_i386.deb
to main/n/nss-pam-ldapd/libnss-ldapd_0.8.0_i386.deb
libpam-ldapd_0.8.0_i386.deb
to main/n/nss-pam-ldapd/libpam-ldapd_0.8.0_i386.deb
nslcd_0.8.0_i386.deb
to main/n/nss-pam-ldapd/nslcd_0.8.0_i386.deb
nss-pam-ldapd_0.8.0.dsc
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.0.dsc
nss-pam-ldapd_0.8.0.tar.gz
to main/n/nss-pam-ldapd/nss-pam-ldapd_0.8.0.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Arthur de Jong <[email protected]> (supplier of updated nss-pam-ldapd package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Thu, 30 Dec 2010 20:00:00 +0100
Source: nss-pam-ldapd
Binary: nslcd libnss-ldapd libpam-ldapd
Architecture: source i386
Version: 0.8.0
Distribution: experimental
Urgency: low
Maintainer: Arthur de Jong <[email protected]>
Changed-By: Arthur de Jong <[email protected]>
Description:
libnss-ldapd - NSS module for using LDAP as a naming service
libpam-ldapd - PAM module for using LDAP as an authentication service
nslcd - Daemon for NSS and PAM lookups using LDAP
Closes: 586532 604147 607640
Changes:
nss-pam-ldapd (0.8.0) experimental; urgency=low
.
* include Solaris support developed by Ted C. Cheng of Symas Corporation
* include an experimental partial implementation of nslcd in Python
(disabled by default, see --enable-pynslcd configure option)
* implement a nss_min_uid option to filter user entries returned by LDAP
* implement a rootpwmodpw option that allows the root user to change a
user's password without a password prompt
* try to update the shadowLastChange attribute on password change
* all log messages now include a description of the request to more easily
track problems when not running in debug mode
* allow attribute mapping expressions for the userPassword attribute for
passwd, group and shadow entries and by default map it to the unmatchable
password ("*") to avoid accidentally leaking password information
* numerous compatibility improvements
* add --with-pam-seclib-dir and --with-pam-ldap-soname configure options to
allow more control of hot to install the PAM module
* add --with-nss-flavour and --with-nss-maps configure options to support
other C libraries and limit which NSS modules to install
* allow tilde (~) in user and group names (closes: #607640)
* improvements to the timeout mechanism (connections are now actively timed
out using the idle_timelimit option)
* set socket timeouts on the LDAP connection to disconnect regardless of
LDAP and possibly TLS handling of connection
* better disconnect/reconnect handling of error conditions
* some code improvements and cleanups and several smaller bug fixes
* all internal string comparisons are now also case sensitive (e.g. for
providing DN to username lookups, etc)
* signal handling in the daemon was changed to behave more reliable across
different threading implementations
* nslcd will now always return a positive authorisation result during
authentication to avoid confusing the PAM module when it is only used for
authorisation (closes: #604147)
* implement configuring SASL authentication using Debconf, based on a patch
by Daniel Dehennin (closes: #586532) (not called for translations yet
because the English text is likely to change)
Checksums-Sha1:
32d648abf5dd47cadfbfe89f6c3c3c01bb06050d 1102 nss-pam-ldapd_0.8.0.dsc
324bd8a15708e54dde9426c9d3474f59a36e18a7 522812 nss-pam-ldapd_0.8.0.tar.gz
95620f2de2decc288f0beabaa7f563bcf048dde6 127242 nslcd_0.8.0_i386.deb
8854a9ba463895252eaf7db95fb785ab46fc1e20 44448 libnss-ldapd_0.8.0_i386.deb
b6fafe0374109672a0f54d5e4b7e921e5f2d8cb5 37742 libpam-ldapd_0.8.0_i386.deb
Checksums-Sha256:
60004dddbfa272246abcaeb490ea64025618fb56fb6a2f58219c9b89ba537915 1102
nss-pam-ldapd_0.8.0.dsc
7a175ab9e2137fa4fba9a2beb01f6e74d6dc080e0ef91ff6b2236ecfb442a6a6 522812
nss-pam-ldapd_0.8.0.tar.gz
3426b1df42f6a44eeae07426f2ceef5524e01247cca649cec676f931e4ec0e60 127242
nslcd_0.8.0_i386.deb
be9da0576355e51004d3d5adbbe5202110be8cd938754541498f47a723c7c8af 44448
libnss-ldapd_0.8.0_i386.deb
c5750449f5b2a9f6f197f81e001bd8235d25f57d7f8a439789481e276c34b83b 37742
libpam-ldapd_0.8.0_i386.deb
Files:
73d50bdd5eb65362827ad32219d0a319 1102 admin extra nss-pam-ldapd_0.8.0.dsc
8efa3a4f77983d3dd054cc5e455b7234 522812 admin extra nss-pam-ldapd_0.8.0.tar.gz
b6df1926f353f7921ba74dd6f3a85f5c 127242 admin extra nslcd_0.8.0_i386.deb
d4c92cbdc45e51bea3a53b0b52d7a0ea 44448 admin extra libnss-ldapd_0.8.0_i386.deb
5977360c66c386e5ce3ba33d1a70add4 37742 admin extra libpam-ldapd_0.8.0_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAk0c+e0ACgkQVYan35+NCKdyWgCfTjVlZsxeQhRBAZ5OHbIxsxOY
XekAnR6ipcYKCzZ112GqZFnY85mZUFof
=S5bP
-----END PGP SIGNATURE-----
--- End Message ---
