Hi Again :) On Fri, Dec 11, 2009 at 11:32 AM, Daniel Pittman <[email protected]>wrote:
> Nima Talebi <[email protected]> writes: > > On Fri, Dec 11, 2009 at 12:17 AM, Daniel Pittman <[email protected]> > wrote: > >> Nima Talebi <[email protected]> writes: > > [...] > > >> So, what does 'passwd -S' show for 'darius' on that machine? > Specifically, > >> does it report something sensible for the status and age fields? > > > > Well, depends how I've configured nsswitch.conf, so I'll detail both > scenarios... > > > > If nsswitch contains: > > > > #. No LDAP here! - PAM LDAP takes over at this point. The `pam_ldap' > module > > #. from the libpam-ldap package logs into the LDAP server when checking > > #. passwords. The pure pam_ldap solution allows limiting logins by how > users > > #. are stored in the directory (e.g. only allow logins for users in a > certain > > #. piece of the directory, require some attribute, etc). It also > requires less > > #. access rights to the LDAP directory and does not expose password > hashes. > > shadow: compat > > > > ...then, I naturally get nothing interesting... > > > > darius:/var/log# passwd -S nima > > nima P > > ...and this scenario is still reporting "must change password", right? > > Right. > Are you actually using the PAM ldap module? Is that, or some other module > like Unix auth, configured to handle password expiration? > > Yes, however I've let debconf do all the configuring for me until now, so that could very well be the problem. All the files /etc/pam.d/common=* have pam_ldap as a fall back to pam_unix. As for expiration, it could be a red harring as I've set all the shadow* values to 0 which AFAIK means never-expire. > > > If I however replace compat with ldap... > > > > darius:/var/log# passwd -S nima > > nima L 01/01/1970 -1 0 0 -1 > > darius:/var/log# > > > > At which point, the login problem changes to look like.... > > > > % ssh darius > > You are required to change your password immediately (root enforced) > > Linux darius 2.6.26-1-amd64 #1 SMP Sat Jan 10 17:57:00 UTC 2009 x86_64 > > > > The programs included with the Debian GNU/Linux system are free software; > > the exact distribution terms for each program are described in the > > individual files in /usr/share/doc/*/copyright. > > > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > > permitted by applicable law. > > You have new mail. > > Last login: Wed Dec 9 06:08:23 2009 from datis > > WARNING: Your password has expired. > > You must change your password now and login again! > > (pam) Please visit http://intranet.autonomy.net.au/ to change your > password. > > passwd: Permission denied > > passwd: password unchanged > > Connection to darius closed. > > % > > Hmmmm. That looks suspiciously good to me, if you either followed that > link, > or configured the passwd PAM entries to use pam_ldap to change the > directory > password rather than editing shadow. :) > > How do I confirm that I am in face... "configured the passwd PAM entries to use pam_ldap to change the directory password" ...I think you're very close to the root cause now! :D > > >> Also, what does your /etc/pam.d/sshd file look like? I doubt it is > >> relevant, but just in case... > > > > Well it is a little relevant, here are the ones that matter... > > > > UsePAM yes > > PasswordAuthentication yes > > ChallengeResponseAuthentication no #. PAM modules don't like "yes" here > > That isn't the file I asked about, that is /etc/ssh/sshd_config. > > I want to see how you configured the /etc/pam.d/sshd file, which is what > OpenSSH gets to run through with PAM. :) > > Oops, sorry about that... darius:~# grep ^[^#] /etc/pam.d/sshd auth required pam_env.so # [1] auth required pam_env.so envfile=/etc/default/locale @include common-auth account required pam_nologin.so @include common-account @include common-session session optional pam_motd.so # [1] session optional pam_mail.so standard noenv # [1] session required pam_limits.so @include common-password darius:~# > > >> Anyway, not a problem I have experienced. (The "can't change password" > is, > >> but our LDAP / ssh / password auth stuff just works(tm), I fear.) > > > > Do you use RHEL or Debian, or...? > > Debian, but it wasn't any more trouble on RHEL a couple of years back. :) > > Daniel > > -- > ✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 > 707 > ♽ made with 100 percent post-consumer electrons > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > Thanks again for all the help Daniel, I owe you beers :) Nima -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
