Re: User not known to the underlying authentication module

[Arthur de Jong <arthur [at] arthurdejong.org>]

On Sun, 2016-01-24 at 17:02 -0600, Lane wrote:
> Ok, forget my last post. Figured out that nslcd in debug prints to
> stdout so took it out of the background. Here's a paste that shows
> the command I give trying to log into my ldap client, with nslcd in
> debug.

Having a user both in LDAP and in /etc/passwd (and /etc/shadow) will
confuse PAM. From the logs it seems that authentication is handled by
another PAM module (no initial authc call in the nslcd logs) but the
authorisation phase (the authz call) probably returns that the password
has expired (for example the shadow attributes in LDAP could indicate
that).

At that point the PAM stack is asked to change the password. Since
pam_ldap has not seen the password before it asks for the password
(this is the authc call after the session has heen opened).

What is a bit weird is all the <passwd="james"> requests in the logs (I
would expect less if the user was in /etc/passwd). Perhaps james is
only in /etc/shadow?

Can you post your nsswitch.conf and whether james is in any files in
/etc?

Hope this helps,

-- 
-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

-- 
To unsubscribe send an email to
nss-pam-ldapd-users-unsubscribe@lists.arthurdejong.org or see
http://lists.arthurdejong.org/nss-pam-ldapd-users/