I ran into a strange problem with LDAP authentication running on RHEL 5.2 x86_64. After doing some research I found out that there might be a bug in the nss_ldap libs. However, after updating my libs with the most recent I still ran into an issue where nothing after providing my AD credentials when authenticating in SSHÂ and I still couldn’t log-in to the remote host. At this point, I’m annoyed by the fact that this is an issue. Tailing /var/log/secure would display the following:
Oct 13 11:32:46Â REMOTEHOST sshd[2977]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MYHOSTÂ user=USER
Oct 13 11:32:47 REMOTEHOST sshd[2977]: pam_krb5[2977]: authentication succeeds for ‘user’ (user@domain)
Oct 13 11:32:47 REMOTEHOST sshd[2977]: Accepted password for wsani from 10.*.*.* port 63567 ssh2
So, my log-in is successful but I don’t see anything in my SSH session. After some more troubleshooting I came up with a simple solution. To resolve the issue, I modified the /etc/pam.d/system-auth and modified the following two lines:
auth requisite pam_succeed_if.so uid >= 500 quiet
account sufficient pam_succeed_if.so uid < 500 quiet
changed to:
auth requisite pam_succeed_if.so uid >= 100 quiet
account sufficient pam_succeed_if.so uid < 100 quiet
Evidently the latest RHEL (Fedora and CentOS) releases require UID 500 or above. I also added the following lines to my /etc/ldap.conf:
referrals no
bind_policy soft
By doing so I was able to log-in to the server remotely using my LDAP credentials. Hopefully this will be helpful to someone else using Active Directory authentication on an RHEL 5.2 host.
Thanks for you note. We are also facing same issue. We are on Enterprise Linux 5.3. Even I have updated my ldap libs but did not work. Let see I will put your solution. really appreciate it. thank you.
Let us know how it turns out.
Hello,
I’ve had LDAP/RHEL5.2 running production fine for 2-3 years now however am tracking down a known (to us) issue now. Basically we get thousands (almost 10′s of thousands) of these:
sshd[25018]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost= user=
What is strange is the user can login.
I tried the syntax & order you suggested for the pam.d files however /var/log/secure still show “authentication failure” (even though you can login fine)
my /etc/pam.d/sshd:
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
my /etc/pam.d/system-auth:
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth sufficient pam_ldap.so use_first_pass
auth requisite pam_succeed_if.so uid >= 100 quiet
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
LDAP RPMS:
nss_ldap-253-12.el5
openldap-2.3.27-8.el5_1.3
openldap-clients-2.3.27-8.el5_1.3
openldap-devel-2.3.27-8.el5_1.3
php-ldap-5.1.6-20.el5
PAM RPMS:
pam-0.99.6.2-3.27.el5
pam_ccreds-3-5
pam-devel-0.99.6.2-3.27.el5
pam_krb5-2.2.14-1
pam_passwdqc-1.0.2-1.2.2
pam_pkcs11-0.5.3-23
pam_smb-1.1.7-7.2.1
64-bit Kernel:
RHEL 5.2 x86_64 x86_64 x86_64 GNU/Linux
Any suggestions anyone?
thanks in advance!
Bert,
Are you saying that root can log in to the box without a password?
To me the error indicates a brute force attack, but I may be incorrect. I don’t have enough operational details to be able to determine the exact cause.
i have implemented your solution and its working fine with no issues. you are genious. thank you.
Another request- I am trying to configure samba so that can access some linux folder from windows machine. Do you have any idea how can i integrate samba with Ldap?
any input will be of great help.
thanks.
Welcome back! I used the Samba WIKI: http://wiki.samba.org/index.php/Samba_&_Active_Directory to configure it for LDAP authentication. Let me know if you have any follow-up questions.
This post helped me out as well. Our LDAP server is a Ubuntu box and the user UIDs start at 100. I spun my wheel a lot until I came across this post. Error in /var/log/secure was no help… “su -” worked, ssh didn’t… Once I lowered the UID threshold in /etc/pam.d/system-auth everything was golden.
I’m happy to help out a fellow geek at NASA