To troublshoot PAM issue, you may add "debug" keyword at the end of every or selected lines of /etc/pam.conf, and /var/adm/messages should show more messages.
To troubleshoot SSH Server, you may start sshd with "-d" (debfufg) option (Interactive Mode Only), or use "ssh -v testdba@localhost" at the SSH Client (-v means verbose mode).
You may use the sample pam.conf from http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view, do comment out all the "pam_unix_cred.so.1" lines as they are meant for Solaris10.
Gary
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor Sent: Tuesday, August 30, 2005 4:30 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Problem with solaris & FDS authentication
Hi, guys. I finally got the solaris box to talk to the FDS (thank you all for your help).
I'm now having a problem where I can't telnet/ssh from another machine.
On the client, I have this:
bash-2.03# ldaplist -l passwd testdba dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com givenName: oracle sn: user loginShell: /bin/bash uidNumber: 10001 gidNumber: 7000 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowaccount uid: testdba cn: oracle user homeDirectory: /home/testdba bash-2.03#
The ACIs (in addition to the default ones):
Bind Password: dc=composers,dc=foo,dc=com
aci=(targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM in||shadowMax||shadowWarning| |shadowInactive||shadowExpire||shadowFlag||memberUid" )(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap: ///self";) aci=(target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPasswo rd")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = " ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";)
There's nothing in the /var/adm/messages. My pam.conf [snipped] is this:
# login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 try_first_pass login auth required pam_dial_auth.so.1
#ssh
sshd auth sufficient /usr/lib/security/pam_ldap.so.1 sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass
---
The userPassword field is not displayed when I do ldaplist. Is that normal? Even when I do this:
/usr/bin/ldapsearch -D "cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -h cnyitlin02 -b dc=composers,dc=foo,dc=com objectclass=*
uid=testdba,ou=People, dc=composers,dc=foo,dc=com givenName=oracle sn=user loginShell=/bin/bash uidNumber=10001 gidNumber=7000 objectClass=top objectClass=person objectClass=organizationalPerson objectClass=inetorgperson objectClass=posixAccount objectClass=shadowaccount uid=testdba cn=oracle user homeDirectory=/home/testdba
How can I go about troubleshooting this?
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
Gary,
I did like you said. There was nothing in msgs file. From the remote host I got this:
debug1: Next authentication method: publickey debug1: Trying private key: /.ssh/identity debug1: Trying private key: /.ssh/id_rsa debug1: Trying private key: /.ssh/id_dsa debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password testdba@149.85.86.87's password: debug1: Authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again.
sshd -d produced nothing either. So, I'm confused now.
Also, ldaplist by itself gives this: bash-2.03# ldaplist ldaplist: Object not found (LDAP ERROR (50): Insufficient access.)
Is that normal?
And when I snoop -v ldap | grep LDAP I don't see the {crypt} password anywhere.....?
--- "Tay, Gary" Gary_Tay@platts.com wrote:
To troublshoot PAM issue, you may add "debug" keyword at the end of every or selected lines of /etc/pam.conf, and /var/adm/messages should show more messages.
To troubleshoot SSH Server, you may start sshd with "-d" (debfufg) option (Interactive Mode Only), or use "ssh -v testdba@localhost" at the SSH Client (-v means verbose mode).
You may use the sample pam.conf from http://docs.sun.com/app/docs/doc/816-4556/6maort2te?a=view, do comment out all the "pam_unix_cred.so.1" lines as they are meant for Solaris10.
Gary
-----Original Message----- From: fedora-directory-users-bounces@redhat.com [mailto:fedora-directory-users-bounces@redhat.com] On Behalf Of Igor Sent: Tuesday, August 30, 2005 4:30 AM To: General discussion list for the Fedora Directory server project. Subject: [Fedora-directory-users] Problem with solaris & FDS authentication
Hi, guys. I finally got the solaris box to talk to the FDS (thank you all for your help).
I'm now having a problem where I can't telnet/ssh from another machine.
On the client, I have this:
bash-2.03# ldaplist -l passwd testdba dn: uid=testdba,ou=People, dc=composers,dc=foo,dc=com givenName: oracle sn: user loginShell: /bin/bash uidNumber: 10001 gidNumber: 7000 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson objectClass: posixAccount objectClass: shadowaccount uid: testdba cn: oracle user homeDirectory: /home/testdba bash-2.03#
The ACIs (in addition to the default ones):
Bind Password: dc=composers,dc=foo,dc=com
aci=(targetattr = "cn||uid||uidNumber||gidNumber||homeDirectory||shadowLastChange||shadowM in||shadowMax||shadowWarning| |shadowInactive||shadowExpire||shadowFlag||memberUid" )(version 3.0; acl LDAP_Naming_Services_deny_write_access;deny (write) userdn = "ldap: ///self";) aci=(target="ldap:///dc=composers,dc=foo,dc=com")(targetattr="userPasswo rd")(version 3.0; acl LDAP_Naming_Services_proxy_password_read; allow (compare,search) userdn = " ldap:///cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com";)
There's nothing in the /var/adm/messages. My pam.conf [snipped] is this:
# login service (explicit because of pam_dial_auth) # login auth requisite pam_authtok_get.so.1 login auth required pam_dhkeys.so.1 login auth sufficient pam_unix_auth.so.1 login auth required pam_ldap.so.1 try_first_pass login auth required pam_dial_auth.so.1
#ssh
sshd auth sufficient /usr/lib/security/pam_ldap.so.1 sshd auth required /usr/lib/security/pam_unix.so.1 use_first_pass
The userPassword field is not displayed when I do ldaplist. Is that normal? Even when I do this:
/usr/bin/ldapsearch -D "cn=proxyagent,ou=profile,dc=composers,dc=foo,dc=com" -h cnyitlin02 -b dc=composers,dc=foo,dc=com objectclass=*
uid=testdba,ou=People, dc=composers,dc=foo,dc=com givenName=oracle sn=user loginShell=/bin/bash uidNumber=10001 gidNumber=7000 objectClass=top objectClass=person objectClass=organizationalPerson objectClass=inetorgperson objectClass=posixAccount objectClass=shadowaccount uid=testdba cn=oracle user homeDirectory=/home/testdba
How can I go about troubleshooting this?
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- Fedora-directory-users mailing list Fedora-directory-users@redhat.com https://www.redhat.com/mailman/listinfo/fedora-directory-users
____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs
389-users@lists.fedoraproject.org