Login or Register to Ask a Question and Join Our Community


Solaris

LDAP, PAM or SSHD?

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Solaris LDAP, PAM or SSHD?
# 1  
Old 03-22-2011
LDAP, PAM or SSHD?
Hi,
I´m trying to make Solaris authenticate users in AD. NTP is working, nsswitch.ldap is listed above, DNS is Ok and I made something different in pam.conf, krb5.conf and sshd_config (see above)

nsswitch.ldap:
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files dns
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
services: files
printers: user files
auth_attr: files
prof_attr: files
project: files
tnrhtp: files
tnrhdb: files

pam.conf:
login auth required pam_unix_cred.so.1
login auth sufficient pam_krb5.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_krb5.so.1
other account required pam_unix_account.so.1
other account required pam_krb5.so.1
other password requisite pam_authtok_check.so.1
other password sufficient pam_krb5.so.1

krb5.conf:
[libdefaults]
default_realm = <mybusiness>.BIZ
verify_ap_req_nofail = false
[realms]
<mybusiness>.BIZ = {
kdc = dc01server
kdc = dc02server
kdc = <mybusiness>.biz
admin_server = <mybusiness>.biz
}
[domain_realm]
[logging]
default = FILE:/var/krb5/kdc.log
kdc = FILE:/var/krb5/kdc.log
kdc_rotate = {
period = 1d
version = 10
}
[appdefaults]
kinit = {
renewable = true
forwardable= true
}

With all changes made, here is my ldapclient command:

ldapclient -v manual -a credentialLevel=proxy -a authenticationMethod=simple -a "proxyDN=CN=<user>,OU=<blablabla>,OU=<otherbla>,OU=<blaRIO>,DC=<mybusiness>,DC=biz" -a proxyPassword=<passwd> -a "defaultServerList=dc01server dc02server" -a defaultSearchBase=dc=<mybusiness>,dc=biz -a domainName=<mybusiness>.biz -a attributeMap=group:userpassword=userPassword -a attributeMap=group:memberuid=memberUid -a attributeMap=group:gidnumber=gidNumber -a attributeMap=passwd:gecos=displayName -a attributeMap=passwd:gidnumber=gidNumber -a attributeMap=passwd:uidnumber=uidNumber -a attributeMap=passwd:homedirectory=unixHomeDirectory -a attributeMap=passwd:uid=sAMAccountName -a attributeMap=passwd:loginshell=loginShell -a attributeMap=shadow:shadowflag=shadowFlag -a attributeMap=shadow:userpassword=userPassword -a attributeMap=shadow:uid=sAMAccountName -a objectClassMap=groupSmilieosixGroup=group -a objectClassMap=passwdSmilieosixAccount=user -a objectClassMap=shadow:shadowAccount=user -a "serviceSearchDescriptor=shadowSmilieu=otherbla,ou=blaRIO,dc=<mybusiness>,dc=biz?sub" -a "serviceSearchDescriptor=passwdSmilieu=otherbla,ou=blaRIO,dc=<mybusiness>,dc=biz?sub" -a "serviceSearchDescriptor=groupSmilieu=otherbla,ou=blaRIO,DC=<mybusiness>,DC=biz?sub"

The problem is when I put a secondary user group in AllowGroups line in sshd_config, i cannot login, only using the primary group.

With no AllowGroups or AllowGroups PRIMARYGROUP in sshd_config:

$ ssh me@obelix
Password:
Your Kerberos password will expire in 9672 days.

Last login: Tue Mar 22 14:58:42 2011 from gwserver
Sun Microsystems Inc. SunOS 5.10 Generic January 2005
Sun Microsystems Inc. SunOS 5.10 Generic January 2005

-bash-3.00$ id
uid=1771466(ME) gid=1885196(PRIMARYGROUP)

-bash-3.00$ id -a
uid=1771466(ME) gid=1885196(PRIMARYGROUP) groups=1885196(PRIMARYGROUP),1885197(SECONDARYGROUP)

Changing to secondary group in sshd_config (AllowGroups SECONDARYGROUP) and restarting sshd daemon:

$ ssh me@obelix
Password:
Password:
Password:
me@obelix's password:
Permission denied, please try again.
me@obelix's password:
Received disconnect from 10.2.96.174: 2: Too many authentication failures for me

In messages:
Mar 22 15:08:42 obelix sshd[27467]: [ID 800047 auth.error] error: PAM: Authentication failed for illegal user me from gwserver

Anyone knows where is the problem? How can I user the secondary group to authenticate users in sshd?

Thanks in advance,
MP
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Configure samba with PAM point 2 different LDAP

Hi, I would like to configure samba with PEM (with LDAP). I've already found, on the server, configured the PAM Authentication(with LDAP) for ssh. I wanted to know if it was possible to configure PAM for to authenticate to another LDAP only for SAMBA. Is possibile duplicate the... (2 Replies)
Discussion started by: mark888
2 Replies

2. OS X (Apple)

Mac OS X LDAP client not accepting ssh or console logins (PAM error)

Hi Folks, I've install 389 Directory Server on a Centos 7.0 server. Over the last two days I've been trying to connect a MacBook running 10.10.5 to the server as a client and I'm having only partial success. I've "Joined" to my network Account Server, and set my LDAP Mappings to... (2 Replies)
Discussion started by: jlh
2 Replies

3. Shell Programming and Scripting

AIX pam ssh/sshd configuration not allowing sed or awk

This is a weird problem. Following is my code. /opt/quest/bin/vastool configure pam sshd /opt/quest/bin/vastool configure pam ssh cat /etc/pam.conf | \ awk '$1=="ssh"||$1=="sshd"||$1=="emagent"{sub("prohibit","aix",$NF);}1' OFS='\t' > /etc/pam.conf cat /etc/ssh/sshd_config | \ sed -e... (2 Replies)
Discussion started by: pjeedu2247
2 Replies

4. Cybersecurity

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Windows 2008 R2 Active Directory Services accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all... (1 Reply)
Discussion started by: powelltallen
1 Replies

5. Shell Programming and Scripting

LDAP and PAM Configurations for Windows 2008 R2 ADS and Cubox Ubuntu client

Please I am having problem to login using Active Directory Services 2008 R2 accounts on a cubox ubuntu (2.6.32.9-dove-5.4.2 #46). "getent passwd" only shows local users, however I can querry ADS users using ldapsearch command. I have 2 systems, one that does not use gdm can login with all users... (0 Replies)
Discussion started by: powelltallen
0 Replies

6. Solaris

pam sshd error

Hi I wanted to convert my pam libraries to 64 bit. so recently compiled my pam_banner and pam_wheel to 64 bit. I got the following error... sshd: dlsym failed pam_sm_authenticate:error ld.so.1 : sshd fatal: pam_sm_authenticate: can't find symbol thnaks (8 Replies)
Discussion started by: chinchao
8 Replies

7. UNIX and Linux Applications

Problems Hooking Sudoers into PAM/LDAP

Greetings!! I am attempting to solve a rather thorny issue and I was hoping that someone might have some insight into what is going on here.. At this point I have an openLDAP server that is working quite splendidly! :) I have a working directory with users able to authenticate it and TLS... (2 Replies)
Discussion started by: bluethundr
2 Replies

8. UNIX for Advanced & Expert Users

PAM LDAP Passwort

Hallo miteinander, ich bin gerade dabei ein eigenes C-Programm zuschreiben um mich über PAM auf einen LDAP Server zu authentifizieren. ... (2 Replies)
Discussion started by: saschaLin
2 Replies

9. UNIX for Advanced & Expert Users

pam ldap limit authentication

I have a linux machine which authenticate users to ldap, this is working fine. But I would like to limit users that logon to the machines to just the system admins. The machines hosts different web sites which users accessed from there home directory like http://foo.mdx.ac.uk/~username At the... (0 Replies)
Discussion started by: hassan1
0 Replies
Login or Register to Ask a Question