Bug#640774: Stopping nslcd no longer
On Wed, 15 Apr 2015 19:07:04 +0200 =?utf-8?B? 2KPYrdmF2K8g2KfZhNmF2K3ZhdmI2K/Zig==?= aelmahmo...@users.sourceforge.net wrote: found 647978 0.9.4-3 found 640774 0.9.4-3 quit Hello, I am experiencing the issue of login failure with cached credentials, yet stopping nslcd no longer helps, rather I get this in /var/log/auth.log: Apr 15 18:19:42 myhostname login[13342]: pam_ldap(login:auth): error opening connection to nslcd: No such file or directory I've found out that nslcd init script does not properly process nlscd error messages, and says OK whet running actually fails. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=794686 check /var/run/nslcd/ to see if nlscd is actually running. If it is not, run nslcd manually # nslcd and it will tell you why id does not want to start -- âØ£Ø٠د اÙÙ ØÙ Ùد٠(Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 -- Nikolay Shaplov Postgres Professional: http://www.postgrespro.com Russian Postgres Company -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#640774: Stopping nslcd no longer
On Fri, 2015-04-17 at 19:28 +0200, أحمد المحمودي wrote: Please find /etc/pam.d/common-auth attached. I have been playing around with pam_ccreds and I think the bug is in that package or a configuration mix-up. Anyway, if I disable shadow lookups via ldap in /etc/nsswitch.conf I got it to work, otherwise the PAM stack fails with: authpriv.err su[9407]: pam_acct_mgmt: Authentication failure which seems to indicate that something is going wrong in the account (authorisation) part of PAM. I've added debug to pam_unix and pam_ldap in /etc/pam.d/common-account but neither module seems to be logging anything. Without shadow lookups via LDAP at least pam_ldap logs in the account check that it can't connect to nslcd if it is not running. Also, now login works (but slow) if nslcd is still running but the LDAP server is reachable. Some background on the intricacies of the PAM stack can be found here: https://bugs.debian.org/583492 -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#640774: Stopping nslcd no longer
On Thu, Apr 16, 2015 at 10:39:59PM +0200, Arthur de Jong wrote: On Wed, 2015-04-15 at 19:07 +0200, أحمد المحمودي wrote: I am experiencing the issue of login failure with cached credentials, yet stopping nslcd no longer helps, rather I get this in /var/log/auth.log: Apr 15 18:19:42 myhostname login[13342]: pam_ldap(login:auth): error opening connection to nslcd: No such file or directory Could you provide the contents of /etc/pam.d/common-auth? The default configuration has auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass which is supposed to ignore PAM_AUTHINFO_UNAVAIL and continue with the next PAM module. ---end quoted text--- Please find /etc/pam.d/common-auth attached. -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 # # /etc/pam.d/common-auth - authentication settings common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of the authentication modules that define # the central authentication scheme for use on the system # (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the # traditional Unix authentication mechanisms. # # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules. See # pam-auth-update(8) for details. # here are the per-package modules (the Primary block) auth[success=4 default=ignore] pam_unix.so nullok_secure auth[success=3 authinfo_unavail=ignore default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass auth[success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass auth[default=ignore]pam_ccreds.so minimum_uid=1000 action=update # here's the fallback if no module succeeds authrequisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around authrequiredpam_permit.so # and here are more per-package modules (the Additional block) authoptionalpam_ccreds.so minimum_uid=1000 action=store # end of pam-auth-update config signature.asc Description: Digital signature
Bug#640774: Stopping nslcd no longer
On Wed, 2015-04-15 at 19:07 +0200, أحمد المحمودي wrote: I am experiencing the issue of login failure with cached credentials, yet stopping nslcd no longer helps, rather I get this in /var/log/auth.log: Apr 15 18:19:42 myhostname login[13342]: pam_ldap(login:auth): error opening connection to nslcd: No such file or directory Could you provide the contents of /etc/pam.d/common-auth? The default configuration has auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass which is supposed to ignore PAM_AUTHINFO_UNAVAIL and continue with the next PAM module. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#640774: Stopping nslcd no longer
found 647978 0.9.4-3 found 640774 0.9.4-3 quit Hello, I am experiencing the issue of login failure with cached credentials, yet stopping nslcd no longer helps, rather I get this in /var/log/auth.log: Apr 15 18:19:42 myhostname login[13342]: pam_ldap(login:auth): error opening connection to nslcd: No such file or directory -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 signature.asc Description: Digital signature