Logon problem with LDAP for non-local users

S S Mon, 19 Sep 2005 07:00:56 -0700

We are hoping to use the Open-LDAP client in our SLES9 system to allow users
who are defined in our non-Linux LDAP server to signon without being defined
as local users.


We have no problem authenticating passwords for users via LDAP for users
that are defined as both local users and that are also in LDAP.  But when we
try to sign on a user that is in LDAP, but is not defined locally, we see
the following error in /var/log/messages:


Sep 19 09:52:53 linuxsjs sshd[18109]: Accepted keyboard-interactive/pam for
ssciasci  from ::ffff:172.31.36.45 port 1479 ssh2
Sep 19 09:52:53 linuxsjs sshd[18112]: fatal: login_get_lastlog: Cannot find
acco
unt for uid 1878


Here is the pam file for SSHD:
         # cat /etc/pam.d/sshd
#%PAM-1.0
auth     required      pam_nologin.so
auth     sufficient    pam_ldap.so
auth     required      pam_unix2.so      use_first_pass # set_secrpc
account  required    pam_unix2.so
account         [default=bad success=ok user_unknown=ignore \
service_err=ignore system_err=ignore]       pam_ldap.so
password required      pam_pwcheck.so
password required      pam_ldap.so      use_authtok
password required      pam_unix2.so      use_first_pass use_authtok
session  required      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session  required      pam_unix2.so
session  required      pam_limits.so
session  required      pam_env.so
session  optional      pam_mail.so


Here is nsswitch.conf:
# /etc/nsswitch.conf
#
# An example Name Service Switch config file. This file should be
# sorted with the most-used services at the beginning.
#
# The entry '[NOTFOUND=return]' means that the search for an
# entry should stop if the search in the previous entry turned
# up nothing. Note that if the search failed due to some other reason
# (like no NIS server responding) then the search continues with the
# next entry.
#
# Legal entries are:
#
#       compat                  Use compatibility setup
#       nisplus                 Use NIS+ (NIS version 3)
#       nis                     Use NIS (NIS version 2), also called YP
#       dns                     Use DNS (Domain Name Service)
#       files                   Use the local files
#       db                      Use the /var/db databases
#       [NOTFOUND=return]       Stop searching if not found so far
#
# For more information, please read the nsswitch.conf.5 manual page.
#

# passwd: files nis
# shadow: files nis
# group:  files nis

passwd: compat
group:  compat

hosts:  files dns
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis ldap
aliases:        files
passwd_compat:  ldap
group_compat:   ldap


Any Ideas?

Sam

----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390

Logon problem with LDAP for non-local users

Reply via email to