Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Mac OS X LDAP client not accepting ssh or console logins (PAM error)
Operating Systems OS X (Apple) Mac OS X LDAP client not accepting ssh or console logins (PAM error) Post 302980084 by jlh on Tuesday 23rd of August 2016 03:33:00 PM
Old 08-23-2016
Thanks for responding.

Yes, I tried setting

Code:
PasswordAuthentication yes

and

uncommenting the "#UsePAM yes" line.


I still can't login, but at least the error changed a bit.... that's helpful


Code:
sh-3.2# ssh testuser@localhost
Password:
Password:
Password:
testuser@localhost's password:
Connection closed by ::1



Code:
Aug 23 13:18:51 macbook sshd[935]: error: PAM: permission denied for testuser from localhost via ::1
Aug 23 13:19:05 --- last message repeated 2 times ---
Aug 23 13:19:05 macbook sshd[935]: Failed password for testuser from ::1 port 50341 ssh2
Aug 23 13:19:05 fawkes sshd[935]: fatal: Access denied for user testuser by PAM account configuration [preauth]

So it seems that mac isn't authenticating properly or reading the password properly, but it's getting the other
attributes correct.

This is such a wacky problem.

I'm thinking maybe the issue is with the authentication mechanisms available to yosemite. If I query the directory server
directly from the mac I see the available SASL authentication mechanisms as:


Code:
sh-3.2#  ldapsearch -x -h FQDN_of_server -b  "" -s base "(objectclass=*)" supportedSASLMechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

#
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


But the pam files show for sshd:


Code:
pam_krb5.so
pam_ntlm.so
pam_opendirectory.so


I was thinking that I need to add more SASL authentication methods to the system and I *think* that's done by editing
the .plist of the server in /Library/Preferences/OpenDirectory/Configurations/LDAPv3, but I don't think Apple would make
the OS that fussy.

Maybe I'm overthinking this....
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

pam ldap limit authentication

I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins. The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username At the... (0 Replies)
Discussion started by: hassan1
0 Replies

2. UNIX for Advanced & Expert Users

PAM LDAP Passwort

Hallo miteinander, ich bin gerade dabei ein eigenes C-Programm zuschreiben um mich über PAM auf einen LDAP Server zu authentifizieren. ... (2 Replies)
Discussion started by: saschaLin
2 Replies

3. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

4. Solaris

LDAP, PAM or SSHD?

Hi, I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above) nsswitch.ldap: passwd: files ldap group: files ldap hosts: files dns ipnodes: ... (0 Replies)
Discussion started by: mpcavalcanti
0 Replies

5. Shell Programming and Scripting

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Discussion started by: powelltallen
0 Replies

6. Cybersecurity

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Discussion started by: powelltallen
1 Replies

7. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

8. UNIX for Advanced & Expert Users

Configure samba with PAM point 2 different LDAP

Hi, I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA. Is possibile duplicate the... (2 Replies)
Discussion started by: mark888
2 Replies

9. Solaris

Solaris LDOM not accepting keyboard input at console

Ran into this issue today and wanted to share how I fixed it as there is not a lot a lot of info online on this issue. We upgraded our NetApp controllers to Ontap 9 and reboot all our iSCSI attached LDOMs after. One of the LDOM did not come up cleanly and it would not accept any keyboard inputs... (0 Replies)
Discussion started by: ncherukuri
0 Replies

10. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies

LEARN ABOUT CENTOS

dn2rdn

DN2RDN(8)						      System Manager's Manual							 DN2RDN(8)

NAME

       dn2rdn - Directory Server script to check for outdated index versions

SYNOPSIS

       dn2rdn [-Z serverID] [-h] [-f] [-v] [-d debuglevel]

DESCRIPTION

       Checks  the database index version, and if it's in a old format, then it will rebuild the indexes.  The server instance needs to be stopped
       prior to running this script.

OPTIONS

       A summary of options is included below:

       -Z Server Identifier
	      The server ID of the Directory Server instance.  If there is only one instance on the system, this option can be skipped.

       -d Debug Level
	      Sets the debugging level.

       -f
	      Force the upgrade.

       -v
	      Display the version of the Directory Server.

       -h
	      Display the usage.

EXAMPLE

       dn2rdn

       dn2rdn -Z instance3 -f

DIAGNOSTICS

       Exit status is zero if no errors occur.	Errors result in a non-zero exit status and a diagnostic message being written to standard error.

AUTHOR

       dn2rdn was written by the 389 Project.

REPORTING BUGS

       Report bugs to http://bugzilla.redhat.com.

COPYRIGHT

       Copyright (C) 2013 Red Hat, Inc.

								    Mar 5, 2013 							 DN2RDN(8)
All times are GMT -4. The time now is 09:29 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy