Re: sshd/pam access for users in ldap - "Access denied for this service"

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: ben thielsen <btb [at] bitrate.net>
To: nss-pam-ldapd-users <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: Re: sshd/pam access for users in ldap - "Access denied for this service"
Date: Sun, 9 May 2010 21:23:46 -0400

after being sidetracked for a bit, i've had a chance to revisit this - thanks 
for the suggestion.  i was able to successfully build the nssov overlay form 
head with 2.4.21 as you suggest, and it appears to function, but i'm still 
seeing the same behavior.  where can i look next?

-ben

On Mar 09, 2010, at 23.59, Chris Breneman wrote:

> Up until recently, there was a bug in nssov.  The bug exists up through
> OpenLDAP 2.4.21.  It is currently fixed in the OpenLDAP CVS.  If you
> want, you can get the OpenLDAP CVS and copy the nssov directory from it
> into the nssov directory of release 2.4.21 - they're currently
> compatible.
> 
> Chris Breneman
> 
> On Tue, 2010-03-09 at 21:41 -0500, ben thielsen wrote:
>> hi-
>> 
>> i'm experimenting with nss-pam-ldapd in concert with the slapd nnsov 
>> overlay, and having a bit of trouble getting my pam configuration to work 
>> right.  the nss side of things appears to be working well (things like 
>> getent, id, etc all return data from ldap), and the pam side of things seems 
>> to work to some extent, but if i'm correctly interpreting things, fails at 
>> the "account" stage of the process when logging in via ssh.  currently, i've 
>> tried to configure the pam sshd settings for ldap only, in hopes of 
>> isolating things.  the behavior differs a bit when using the correct 
>> password vs. an incorrect password, which gives me the impression that 
>> things are partially working.  i'm using version nss-pam-ldapd 0.7.3 and 
>> slapd 2.4.18 on ubuntu 9.10.  below is debug output from ssh (two sets, 
>> comparing correct password with intentionally wrong password), and my sshd 
>> pam config.  i'm hoping someone might be able to help point me in the right 
>> direction.
>> 
>> thanks
>> -ben
>> 
>> #>egrep -v '(^[[:space:]]*#|^[[:space:]]*$)' /etc/pam.d/sshd 
>> auth         required                        pam_env.so # [1]
>> auth         required                        pam_env.so 
>> envfile=/etc/default/locale
>> auth         [success=1 default=ignore]      pam_ldap.so #use_first_pass
>> auth         requisite                       pam_deny.so
>> auth         required                        pam_permit.so
>> account              required                        pam_nologin.so
>> account              [success=1 default=ignore]      pam_ldap.so
>> account              requisite                       pam_deny.so
>> account              required                        pam_permit.so
>> session              [default=1]                     pam_permit.so
>> session              requisite                       pam_deny.so
>> session              required                        pam_permit.so
>> session              required                        pam_unix.so
>> session              optional                        pam_ldap.so no_warn
>> session              optional                        pam_motd.so # [1]
>> session              optional                        pam_mail.so standard 
>> noenv # [1]
>> session              required                        pam_limits.so
>> password        required                        pam_passwdqc.so 
>> min=disabled,16,12,7,6 max=256
>> password        [success=2 default=ignore]      pam_unix.so obscure md5
>> password        [success=1 user_unknown=ignore default=die]     pam_ldap.so 
>> use_authtok try_first_pass
>> password        requisite                       pam_deny.so
>> password        required                        pam_permit.so
>> 
>> 
>> sshd -Dddd output (when correct password is used):
>> 
>> debug1: userauth-request for user flash service ssh-connection method 
>> password
>> debug1: attempt 1 failures 0
>> debug2: input_userauth_request: try method password
>> debug3: mm_auth_password entering
>> debug3: mm_request_send entering: type 11
>> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
>> debug3: mm_request_receive_expect entering: type 12
>> debug3: mm_request_receive entering
>> debug3: monitor_read: checking request 11
>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>> debug1: PAM: password authentication accepted for flash
>> debug3: mm_answer_authpassword: sending result 1
>> debug3: mm_request_send entering: type 12
>> debug3: mm_request_receive_expect entering: type 49
>> debug3: mm_request_receive entering
>> debug3: mm_auth_password: user authenticated
>> debug3: mm_do_pam_account entering
>> debug3: mm_request_send entering: type 49
>> debug3: mm_request_receive_expect entering: type 50
>> debug3: mm_request_receive entering
>> debug1: do_pam_account: called
>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>> debug3: PAM: do_pam_account pam_acct_mgmt = 7 (Authentication failure)
>> debug3: mm_request_send entering: type 50
>> Failed password for flash from 192.168.1.123 port 65166 ssh2
>> debug3: mm_request_receive entering
>> debug3: mm_do_pam_account returning 0
>> debug1: userauth_send_banner: sent
>> Access denied for user flash by PAM account configuration
>> debug1: do_cleanup
>> debug3: PAM: sshpam_thread_cleanup entering
>> debug1: do_cleanup
>> debug1: PAM: cleanup
>> debug3: PAM: sshpam_thread_cleanup entering
>> 
>> ssh client output (when correct password is used):
>> 
>>> ssh flash@under
>> flash@under's password: 
>> Access denied for this service
>> Connection closed by 192.168.1.1
>> 
>> 
>> sshd -Dddd output (when incorrect password is used):
>> 
>> debug1: userauth-request for user flash service ssh-connection method 
>> password
>> debug1: attempt 1 failures 0
>> debug2: input_userauth_request: try method password
>> debug3: mm_auth_password entering
>> debug3: mm_request_send entering: type 11
>> debug3: mm_auth_password: waiting for MONITOR_ANS_AUTHPASSWORD
>> debug3: mm_request_receive_expect entering: type 12
>> debug3: mm_request_receive entering
>> debug3: monitor_read: checking request 11
>> debug3: PAM: sshpam_passwd_conv called with 1 messages
>> debug1: PAM: password authentication failed for flash: Authentication failure
>> debug3: mm_answer_authpassword: sending result 0
>> debug3: mm_request_send entering: type 12
>> Failed password for flash from 192.168.1.123 port 65170 ssh2
>> debug3: mm_request_receive entering
>> debug3: mm_auth_password: user not authenticated
>> Connection closed by 192.168.1.123
>> debug1: do_cleanup
>> debug3: PAM: sshpam_thread_cleanup entering
>> debug1: do_cleanup
>> debug1: PAM: cleanup
>> debug3: PAM: sshpam_thread_cleanup entering
>> 
>> ssh client output (when incorrect password is used):
>> 
>> #>ssh flash@under
>> flash@under's password: 
>> Permission denied, please try again.
>> flash@under's password:
--
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users

sshd/pam access for users in ldap - "Access denied for this service", ben thielsen
- Re: sshd/pam access for users in ldap - "Access denied for this service", Chris Breneman
  - Re: sshd/pam access for users in ldap - "Access denied for this service", ben thielsen

Prev by Date: Re: nss-pam-ldapd commit: r1085 - nss-pam-ldapd/nslcd
Next by Date: Automatic dn to uid mapping
Previous by thread: Re: sshd/pam access for users in ldap - "Access denied for this service"
Next by thread: Re: sshd/pam access for users in ldap - "Access denied for this service"