Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: Mac OS X LDAP client not accepting ssh or console logins (PAM error)
Operating Systems OS X (Apple) Mac OS X LDAP client not accepting ssh or console logins (PAM error) Post 302980084 by jlh on Tuesday 23rd of August 2016 03:33:00 PM
Old 08-23-2016
Thanks for responding.

Yes, I tried setting

Code:
PasswordAuthentication yes

and

uncommenting the "#UsePAM yes" line.


I still can't login, but at least the error changed a bit.... that's helpful


Code:
sh-3.2# ssh testuser@localhost
Password:
Password:
Password:
testuser@localhost's password:
Connection closed by ::1



Code:
Aug 23 13:18:51 macbook sshd[935]: error: PAM: permission denied for testuser from localhost via ::1
Aug 23 13:19:05 --- last message repeated 2 times ---
Aug 23 13:19:05 macbook sshd[935]: Failed password for testuser from ::1 port 50341 ssh2
Aug 23 13:19:05 fawkes sshd[935]: fatal: Access denied for user testuser by PAM account configuration [preauth]

So it seems that mac isn't authenticating properly or reading the password properly, but it's getting the other
attributes correct.

This is such a wacky problem.

I'm thinking maybe the issue is with the authentication mechanisms available to yosemite. If I query the directory server
directly from the mac I see the available SASL authentication mechanisms as:


Code:
sh-3.2#  ldapsearch -x -h FQDN_of_server -b  "" -s base "(objectclass=*)" supportedSASLMechanisms
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: supportedSASLMechanisms
#

#
dn:
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: ANONYMOUS

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


But the pam files show for sshd:


Code:
pam_krb5.so
pam_ntlm.so
pam_opendirectory.so


I was thinking that I need to add more SASL authentication methods to the system and I *think* that's done by editing
the .plist of the server in /Library/Preferences/OpenDirectory/Configurations/LDAPv3, but I don't think Apple would make
the OS that fussy.

Maybe I'm overthinking this....
 

10 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

pam ldap limit authentication

I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins. The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username At the... (0 Replies)
Discussion started by: hassan1
0 Replies

2. UNIX for Advanced & Expert Users

PAM LDAP Passwort

Hallo miteinander, ich bin gerade dabei ein eigenes C-Programm zuschreiben um mich über PAM auf einen LDAP Server zu authentifizieren. ... (2 Replies)
Discussion started by: saschaLin
2 Replies

3. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

4. Solaris

LDAP, PAM or SSHD?

Hi, I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above) nsswitch.ldap: passwd: files ldap group: files ldap hosts: files dns ipnodes: ... (0 Replies)
Discussion started by: mpcavalcanti
0 Replies

5. Shell Programming and Scripting

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Discussion started by: powelltallen
0 Replies

6. Cybersecurity

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Discussion started by: powelltallen
1 Replies

7. SuSE

PAM password change failed, pam error 20

Hi, I use a software which can create account on many system or application. One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3. This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Discussion started by: scabarrus
3 Replies

8. UNIX for Advanced & Expert Users

Configure samba with PAM point 2 different LDAP

Hi, I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA. Is possibile duplicate the... (2 Replies)
Discussion started by: mark888
2 Replies

9. Solaris

Solaris LDOM not accepting keyboard input at console

Ran into this issue today and wanted to share how I fixed it as there is not a lot a lot of info online on this issue. We upgraded our NetApp controllers to Ontap 9 and reboot all our iSCSI attached LDOMs after. One of the LDOM did not come up cleanly and it would not accept any keyboard inputs... (0 Replies)
Discussion started by: ncherukuri
0 Replies

10. Solaris

LDAP Client not connecting to LDAP server

I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful. The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Discussion started by: solaris_1977
9 Replies

LEARN ABOUT MOJAVE

pam_aks

pam_opendirectory(8)					    BSD System Manager's Manual 				      pam_opendirectory(8)

NAME

     pam_opendirectory -- OpenDirectory PAM module

SYNOPSIS

     [service-name] function-class control-flag pam_opendirectory [options]

DESCRIPTION

     The OpenDirectory PAM module supports the authentication, account management and password management function classes.  In terms of the
     function-class parameter, these are ``auth'', ``account'' and ``password'' respectively.

   The OpenDirectory Authentication Module
     The OpenDirectory authentication module permits or denies users based on OpenDirectory password authentication.

     The following option may be passed to this authentication module:

     nullok	 Allow null passwords.

   The OpenDirectory Account Management Module
     The OpenDirectory account management module permits or denies users based whether the account is enabled in OpenDirectory.

     The following option may be passed to this account management module:

     no_check_shell
		 Skip validating the user's shell.

     no_check_home
		 Skip validating the user's home directory.

     refresh=min
		 Sets the mbr_check_membership(3) cache timeout to min minutes.  When this option is used, the min value must be specified, and it
		 must be an integer.

   The OpenDirectory Password Management Module
     The OpenDirectory password management module supports password changing and enforces the OpenDirectory password policy.

SEE ALSO

     mbr_check_membership(3), pam.conf(5), pam(8), pwpolicy(8), DirectoryService(8)

BSD
								 February 7, 2009							       BSD
All times are GMT -4. The time now is 10:54 PM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy