We run a bunch of FreeBSD boxes, some FreeBSD 7.2, others (most) FreeBSD 8.0-CURRENT (most amd64).

These boxes manage their users via OpenLDAP 2.4.XX. Before we did an upgrade to OpenLDAP 2.4.15/16, everything was all right. Now, after nearly all of our OpenLDAP servers has been upgraded to 2.4.16, users can not log in via ssh onto their hosts for work. Because this is at this very moment a very small scientific test facility I circumvent problems by having local accounts the traditional way.

When users try to login on a workstation via ssh the connection gets closed after they provided their password, sending this error:

sshd[3997]: fatal: login_get_lastlog: Cannot find account for uid 2000 (or whatever UID is provided)

Sshd on server side is configured to use PAM and both pam_ldap and nss_ldap are installed, up to date, recompiled to match OpenLDAP 2.4.16. Besides, OpenLDAP 2.4.11/13/14/15.16 uses DB4.7 on our installation.

The funny thing is that this problem occured immediately and synchronously on all clients and OpenLDAP servers when moved from 2.4.11 to 2.4.16/db47. On the other hand, and also very funny and confusing, I can enumerate very UID in the home directory, I can su to every user managed by LDAP, I can 'su' to users, users are able to authenticate themselves when using SAMBA (also OpenLDAP backed) and autheticate web-users when accessing restricted pages on our site secured by OpenLDAP backed authetication (lighttpd). But no one is capable of log in via ssh!

The situation is very frustrating. I do not see anything suspicious when tracking OpenLDAP's logs (ACL/stats), nor do I see anythng weird when looking at sshd's logs. I need help to track down this problem.

When I search the net for the above mentioned specific error message I got a lot of trouble-reports concerning nss_ldap and sshd, but those were related to 2003/2005.

Any suggestions?

Thanks in advance,
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Reply via email to