Hey Daniel, Here's another clue...
I su (from root) to nima... darius:~# su - nima You are required to change your LDAP password immediately. su: Authentication failure (Ignored) * INIT:[]...Done * Waiting on lock...Done * Sourcing OS profile Linux... * Sourcing profile HOME... o Setting up TOR IRC Proxy tunnel ...Skipped (No Onions Active) * Summoning GPG Agent... * Agent id is in place (Agent pid 25848) * Unlocking...Done % ...Next, I run sudo (the LDAP-enabled version of sudo) to see what it can see... % sudo -l [sudo] password for nima: *<correct-password>* sudo: pam_acct_mgmt: 7 Sorry, try again. [sudo] password for nima: *<bad-password>* Sorry, try again. [sudo] password for nima: *<ctrl-c>* sudo: 2 incorrect password attempts % ...So it can obviously authenticate my password, but after that it's downhill. This is similar to what we see in the ssh logs, where I get authenticated upto some point, and then pam rejects me based on some other basis. Nima On Fri, Dec 11, 2009 at 11:32 AM, Daniel Pittman <[email protected]>wrote: > Nima Talebi <[email protected]> writes: > > On Fri, Dec 11, 2009 at 12:17 AM, Daniel Pittman <[email protected]> > wrote: > >> Nima Talebi <[email protected]> writes: > > [...] > > >> So, what does 'passwd -S' show for 'darius' on that machine? > Specifically, > >> does it report something sensible for the status and age fields? > > > > Well, depends how I've configured nsswitch.conf, so I'll detail both > scenarios... > > > > If nsswitch contains: > > > > #. No LDAP here! - PAM LDAP takes over at this point. The `pam_ldap' > module > > #. from the libpam-ldap package logs into the LDAP server when checking > > #. passwords. The pure pam_ldap solution allows limiting logins by how > users > > #. are stored in the directory (e.g. only allow logins for users in a > certain > > #. piece of the directory, require some attribute, etc). It also > requires less > > #. access rights to the LDAP directory and does not expose password > hashes. > > shadow: compat > > > > ...then, I naturally get nothing interesting... > > > > darius:/var/log# passwd -S nima > > nima P > > ...and this scenario is still reporting "must change password", right? > > Are you actually using the PAM ldap module? Is that, or some other module > like Unix auth, configured to handle password expiration? > > > > > If I however replace compat with ldap... > > > > darius:/var/log# passwd -S nima > > nima L 01/01/1970 -1 0 0 -1 > > darius:/var/log# > > > > At which point, the login problem changes to look like.... > > > > % ssh darius > > You are required to change your password immediately (root enforced) > > Linux darius 2.6.26-1-amd64 #1 SMP Sat Jan 10 17:57:00 UTC 2009 x86_64 > > > > The programs included with the Debian GNU/Linux system are free software; > > the exact distribution terms for each program are described in the > > individual files in /usr/share/doc/*/copyright. > > > > Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent > > permitted by applicable law. > > You have new mail. > > Last login: Wed Dec 9 06:08:23 2009 from datis > > WARNING: Your password has expired. > > You must change your password now and login again! > > (pam) Please visit http://intranet.autonomy.net.au/ to change your > password. > > passwd: Permission denied > > passwd: password unchanged > > Connection to darius closed. > > % > > Hmmmm. That looks suspiciously good to me, if you either followed that > link, > or configured the passwd PAM entries to use pam_ldap to change the > directory > password rather than editing shadow. :) > > > >> Also, what does your /etc/pam.d/sshd file look like? I doubt it is > >> relevant, but just in case... > > > > Well it is a little relevant, here are the ones that matter... > > > > UsePAM yes > > PasswordAuthentication yes > > ChallengeResponseAuthentication no #. PAM modules don't like "yes" here > > That isn't the file I asked about, that is /etc/ssh/sshd_config. > > I want to see how you configured the /etc/pam.d/sshd file, which is what > OpenSSH gets to run through with PAM. :) > > > >> Anyway, not a problem I have experienced. (The "can't change password" > is, > >> but our LDAP / ssh / password auth stuff just works(tm), I fear.) > > > > Do you use RHEL or Debian, or...? > > Debian, but it wasn't any more trouble on RHEL a couple of years back. :) > > Daniel > > -- > ✣ Daniel Pittman ✉ [email protected] ☎ +61 401 155 > 707 > ♽ made with 100 percent post-consumer electrons > -- > SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ > Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html > -- Nima Talebi web: http://ai.autonomy.net.au/People/Nima gpg: B51D 1F18 D8E2 B702 B027 23A4 E06B DAC1 BE70 ADC0 -- SLUG - Sydney Linux User's Group Mailing List - http://slug.org.au/ Subscription info and FAQs: http://slug.org.au/faq/mailinglists.html
