Bug#705568: libpam-ldapd: LDAP Authentication failure with cached credentials
On Wed, 2015-04-15 at 19:13 +0200, أحمد المحمودي wrote: > In 0.9.4-3 revision, Account-Type is Primary, so I applied your > changes for the Account: entry, yet neither local nor LDAP users can > login (even if LDAP server is reachable), and I found the following > in /var/log/auth.log: > > Apr 15 18:40:22 myhostname login[13808]: PAM pam_parse: expecting non-zero; > [... new_authtok_reqd=done ignore=ignore user_unknown=ignore > authinfo_unavail=0 default=bad] authinfo_unavail=0 is not valid. You should probably specify authinfo_unavail=ignore or something else depending on how you want your PAM stack to look. If you provide your full /etc/pam.d/common-account file, I can have a look. Also, please clarify which changes you made to which file. Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#705568: libpam-ldapd: LDAP Authentication failure with cached credentials
found 705568 0.9.4-3 quit In 0.9.4-3 revision, Account-Type is Primary, so I applied your changes for the Account: entry, yet neither local nor LDAP users can login (even if LDAP server is reachable), and I found the following in /var/log/auth.log: Apr 15 18:40:22 myhostname login[13808]: PAM pam_parse: expecting non-zero; [... new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=0 default=bad] -- أحمد المحمودي (Ahmed El-Mahmoudy) Digital design engineer GPG KeyID: 0xEDDDA1B7 GPG Fingerprint: 8206 A196 2084 7E6D 0DF8 B176 BC19 6A94 EDDD A1B7 signature.asc Description: Digital signature
Bug#705568: libpam-ldapd: LDAP Authentication failure with cached credentials
On Tue, 2013-04-16 at 23:19 +0200, Jonatan Åkerlind wrote: > By reordering the ldap as a Primary for account and also allowing it > to pass if authinfo_unavail (i.e. no LDAP servers reachable) it works > as expected for me. This solution is briefly touched in this Ubuntu > forum thread: http://ubuntuforums.org/showthread.php?t=1585654 . The problem with moving LDAP to Primary would mean that if pam_unix allows access, pam_ldap will no longer be consulted. This means that extra LDAP authorisation checks will be skipped (e.g. the pam_authz_search option in nslcd.conf or password expiration checks in slapd). A little background on the complexities of the authorisation stack is in #583492. Can you provide some more information on what happens when the authorisation fails in your PAM stack (add debug to both pam_unix and pam_ldap in common-account)? Thanks, -- -- arthur - adej...@debian.org - http://people.debian.org/~adejong -- signature.asc Description: This is a digitally signed message part
Bug#705568: libpam-ldapd: LDAP Authentication failure with cached credentials
Package: libpam-ldapd Version: 0.8.12-1 Severity: normal Tags: patch Dear Maintainer, the current pam configuration in wheezy up to experimental for libpam-ldapd does not allow a login using cached credentials (libpam-ccreds). The problem area seems to be the "account" pam type where the current configuration puts the ldap module as an Additional. I see this behaviour using the currently available config when doing a login without LDAP reachable: You have been logged on using cached credentials. Authentication failure By reordering the ldap as a Primary for account and also allowing it to pass if authinfo_unavail (i.e. no LDAP servers reachable) it works as expected for me. This solution is briefly touched in this Ubuntu forum thread: http://ubuntuforums.org/showthread.php?t=1585654 . My setup is simple with only passwd, group and credentials in LDAP doing auth with libpam-ldapd and caching with libpam-ccreds. -- System Information: Debian Release: 7.0 APT prefers testing APT policy: (900, 'testing'), (700, 'experimental'), (500, 'unstable') Architecture: i386 (i686) Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages libpam-ldapd depends on: ii libc6 2.13-38 ii libpam-runtime 1.1.3-7.1 ii libpam0g 1.1.3-7.1 ii multiarch-support 2.13-38 ii nslcd 0.8.10-4 libpam-ldapd recommends no packages. libpam-ldapd suggests no packages. -- no debconf information --- 1/ldap 2013-04-16 22:16:20.089080110 +0200 +++ 2/ldap 2013-04-16 22:57:52.814167409 +0200 @@ -6,9 +6,9 @@ [success=end default=ignore] pam_ldap.so minimum_uid=1000 Auth: [success=end default=ignore] pam_ldap.so minimum_uid=1000 use_first_pass -Account-Type: Additional +Account-Type: Primary Account: - [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000 + [success=end new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=end default=bad] pam_ldap.so minimum_uid=1000 Password-Type: Primary Password-Initial: [success=end default=ignore] pam_ldap.so minimum_uid=1000