Mac OS X LDAP client not accepting ssh or console logins (PAM error)
Hi Folks,
I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success.
I've "Joined" to my network Account Server, and set my LDAP Mappings to RFC2307.
With these settings, I'm able to look at the "Directory Editor" (located within the Directory Utility) and see the postfix groups / users I've created on the 389-ds server. (so success!)
Similarly, when using the Mac OS dscl command, and "cd-ing" int LDAPv3/FQDN_of_server/Users, I see the RecordNames of the users (or the shortname uid). (success again!)
The command
Code:
dscl /LDAPv3/FQDN_of_server -read Users/testuser
appears to pull up the correct information for the user. For example, the above command yields the following user information:
Code:
sh-3.2# dscl /LDAPv3/FQDN_of_server -read Users/testuser
dsAttrTypeNative:gecos: Ethan Hawke; Test User
dsAttrTypeNative:givenName: Test
dsAttrTypeNative:mail: testuser@xxx.xxx.edu
dsAttrTypeNative:memberOf:
cn=group1,ou=Groups,dc=example,dc=edu
cn=group2,ou=Groups,dc=example,dc=edu
dsAttrTypeNative:objectClass: top person organizationalPerson
inetorgperson posixAccount inetuser
dsAttrTypeNative:sn: User
AppleMetaNodeLocation: /LDAPv3/FQDN_of_server
AppleMetaRecordName:
uid=testuser,ou=People,dc=example,dc=edu
NFSHomeDirectory: /home/testuser
PrimaryGroupID: 1100
RealName: Test User
RecordName: testuser
RecordType: dsRecTypeStandard:Users
UniqueID: 2000
UserShell: /bin/tcsh
As root on the Mac system, I can "su" to an LDAP test user and create files. The ownership and group of the created files look correct. For example:
Code:
sh-3.2# su - testuser
[macbook:~] testuser% touch testfile
[macbook:~] testuser% ls -l testfile
-rw-r----- 1 testuser group1 0 Aug 22 14:47 testfile
I can also "change" the user's password by doing the following from the macbook:
Code:
sh-3.2# ldappasswd -ZZ -H ldap://xxx.xx.xx.4 -D "uid=testuser,ou=People,dc=example,dc=edu" -W -S -A
Old password: (current ldap passwd)
Re-enter old password: (current ldap passwd)
New password: (some new password)
Re-enter new password: (that same new password)
Enter LDAP Password: <--- this is the user's origional LDAP password before changing.
sh-3.2#
When I then try to login to a ldap client linux box, the user can successfully login with the new password.
However, I have an issue where I apparently can't ssh into the mac as testuser, login to the console, or "su" to an LDAP user from an unprivileged account. NOTE: I did verify that under "Users & Groups" I am allowing "all" network users to login at the login window.
The error I'm seeing in the system.log file when I try to ssh into the localhost as the test user is the following:
Code:
..... sshd<XXX>: error: PAM: authentication error for testuser ....
I believe the problem is with the authorization, sshd, and login files in the /etc/pam.d directory of the mac, butI've tried several changes to correct for the error, and nothing seems to work. I also tried setting UsePAM yes in the sshd_config file, but that didn't make a difference.
Has anyone else run across this issue? any suggestions would be appreciated. I've been fighting with this problem for two days now. Slaving into the directory server was easy, but this part has me puzzled.
Thanks,
==================
NOTE1: Error in the system.log file. What I'm seeing from an ldap user login (testuser) compared to a local user (localuser):
Code:
Aug 23 11:32:59 macbook com.apple.xpc.launchd[1] (com.openssh.sshd.F2962412-B0D7-4CBE-A82D-7D623E5484C7): Service instances do not support events yet.
Aug 23 11:33:04 macbook sshd[860]: error: PAM: authentication error for testuser from localhost via ::1
Aug 23 11:33:09 macbook sshd[860]: Connection closed by ::1 [preauth]
Code:
Aug 23 11:33:20 macbook com.apple.xpc.launchd[1] (com.openssh.sshd.05932857-258A-4DA3-8ACB-8724C9F660C3): Service instances do not support events yet.
Aug 23 11:33:24 macbook sshd[867]: Accepted keyboard-interactive/pam for localuser from ::1 port 50035 ssh2
Aug 23 11:33:24 macbook sshd: localuser [priv][867]: USER_PROCESS: 871 ttys004
NOTE2: I did modify the MacBook's /etc/openldap/ldap.conf file to be:
Code:
sh-3.2# cat /etc/openldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
BASE dc=example,dc=edu
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
URI ldap://xxx.xx.xx.4/
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
### changed TLS_REQCERT demand to allow
##TLS_REQCERT demand
TLS_REQCERT never
ssl start_tls
I added the ssl start_tls line so that I could use the following command from the mac:
Aug 23 13:18:51 macbook sshd[935]: error: PAM: permission denied for testuser from localhost via ::1
Aug 23 13:19:05 --- last message repeated 2 times ---
Aug 23 13:19:05 macbook sshd[935]: Failed password for testuser from ::1 port 50341 ssh2
Aug 23 13:19:05 fawkes sshd[935]: fatal: Access denied for user testuser by PAM account configuration [preauth]
So it seems that mac isn't authenticating properly or reading the password properly, but it's getting the other
attributes correct.
This is such a wacky problem.
I'm thinking maybe the issue is with the authentication mechanisms available to yosemite. If I query the directory server
directly from the mac I see the available SASL authentication mechanisms as:
I was thinking that I need to add more SASL authentication methods to the system and I *think* that's done by editing
the .plist of the server in /Library/Preferences/OpenDirectory/Configurations/LDAPv3, but I don't think Apple would make
the OS that fussy.
I have very limited knowledge on LDAP configuration and have been trying fix one issue, but unsuccessful.
The server, I am working on, is Solaris-10 zone. sudoers is configured on LDAP (its not on local server). I have access to login directly on server with root, but somehow sudo is not working... (9 Replies)
Ran into this issue today and wanted to share how I fixed it as there is not a lot a lot of info online on this issue.
We upgraded our NetApp controllers to Ontap 9 and reboot all our iSCSI attached LDOMs after. One of the LDOM did not come up cleanly and it would not accept any keyboard inputs... (0 Replies)
Hi,
I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA.
Is possibile duplicate the... (2 Replies)
Hi,
I use a software which can create account on many system or application.
One of resource which is managed by this soft his a server SUSE Linux Enterprise Server 10 (x86_64). patch level 3.
This application which is an IBM application use ssh to launch command to create account in... (3 Replies)
Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command.
I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command.
I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Hi,
I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above)
nsswitch.ldap:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: ... (0 Replies)
Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here..
At this point I have an openLDAP server that is working quite splendidly! :)
I have a working directory with users able to authenticate it and TLS... (2 Replies)
I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins.
The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username
At the... (0 Replies)