[Bug 2340] New: Openssh issue: unable to ssh the solaris server from ldap users
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Thu Jan 22 00:50:48 AEDT 2015
https://bugzilla.mindrot.org/show_bug.cgi?id=2340
Bug ID: 2340
Summary: Openssh issue: unable to ssh the solaris server from
ldap users
Product: Portable OpenSSH
Version: 5.8p1
Hardware: Sparc
OS: Solaris
Status: NEW
Severity: critical
Priority: P5
Component: PAM support
Assignee: unassigned-bugs at mindrot.org
Reporter: sultankhan4u at gmail.com
Hi,
I am unable to ssh the solaris server from the ldap users.
For every attempt getting below error in adm messages,
sshd[19250]: [ID 800047 auth.error] error: PAM: System error for
axadmin
Open ssh package:
pkginfo -l SMCossh
PKGINST: SMCossh
NAME: openssh
CATEGORY: application
ARCH: sparc
VERSION: 5.8p1
BASEDIR: /usr/local
VENDOR: The OpenSSH Group
PSTAMP: Steve Christensen
INSTDATE: Jan 19 2015 12:00
EMAIL: steve at smc.vnet.net
STATUS: completely installed
FILES: 101 installed pathnames
10 shared pathnames
19 directories
21 executables
4768 blocks used (approx)
nssswitch.conf
:/root !ksh cat /etc/nsswitch.conf
#
# /etc/nsswitch.ldap:
#
# An example file that could be copied over to /etc/nsswitch.conf; it
# uses LDAP in conjunction with files.
#
# "hosts:" and "services:" in this file are used only if the
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports.
# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group.
passwd: files ldap
group: files ldap
# consult /etc "files" only if ldap is down.
hosts: files ldap
# Note that IPv4 addresses are searched for in all of the ipnodes
databases
# before searching the hosts databases.
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files
aliases: files
# for efficient getservbyname() avoid ldap
services: files
printers: user files ldap
auth_attr: files
prof_attr: files
project: files
=========================================
ldaplist -l passwd axadmin
=================
:/root !ksh ldaplist -l passwd axadmin
dn: uid=axadmin,ou=People,dc=evolium,dc=com
uid: axadmin
cn: axadmin
sn: axadmin
gidNumber: 1001
gecos: Axadmin
homeDirectory: /alcatel/var/home/axadmin
loginShell: /bin/bash
radiusFilterId: noAccessGroup
objectClass: top
objectClass: account
objectClass: radiusprofile
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: shadowaccount
uidNumber: 2500
cat /etc/pam.conf
#
#ident "@(#)pam.conf 1.20 02/01/23 SMI"
#
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
#
# PAM configuration
#
# Unless explicitly defined, all services use the modules
# defined in the "other" section.
#
# Modules are defined with relative pathnames, i.e., they are
# relative to /usr/lib/security/$ISA. Absolute path names, as
# present in this file in previous releases are still acceptable.
#
# Authentication management
#
# login service (explicit because of pam_dial_auth)
#
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth binding pam_unix_auth.so.1 server_policy debug
login auth required pam_ldap.so.1 use_first_pass debug
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin auth sufficient pam_rhosts_auth.so.1
rlogin auth requisite pam_authtok_get.so.1
rlogin auth required pam_dhkeys.so.1
rlogin auth required pam_unix_cred.so.1
rlogin auth binding pam_unix_auth.so.1 server_policy
rlogin auth required pam_ldap.so.1 use_first_pass
#
# rsh service (explicit because of pam_rhost_auth,
# and pam_unix_auth for meaningful pam_setcred)
#
rsh auth sufficient pam_rhosts_auth.so.1
rsh auth required pam_unix_cred.so.1
rsh auth required pam_unix_auth.so.1
#
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for
authenctication
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth optional pam_unix_cred.so.1
other auth binding pam_unix_auth.so.1 server_policy
other auth required pam_ldap.so.1 use_first_pass
#
# passwd command (explicit because of a different authentication
module)
#
passwd auth binding pam_passwd_auth.so.1 server_policy
passwd auth required pam_ldap.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron auth required pam_bypass.so
cron account required pam_bypass.so
#sshd account required pam_unix_account.so.1
#RCA: FR: 3BKA32FBR276068
sshd account binding pam_unix_account.so.1 server_policy
sshd account required pam_ldap.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account
management
#
other account binding pam_unix_account.so.1 server_policy
other account required pam_ldap.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session
management
#
other session required pam_unix_session.so.1
#
# Default definition for Password management
# Used when service name is not explicitly mentioned for password
management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1 server_policy
ksh uname -a
SunOS V01 5.10 Generic_150400-15 sun4u sparc SUNW,SPARC-Enterprise
=====
ldapclient list
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=evolium,dc=com
NS_LDAP_BINDPASSWD= {NS1}ecc423aad0
NS_LDAP_SERVERS= V01
NS_LDAP_SEARCH_BASEDN= dc=evolium,dc=com
NS_LDAP_AUTH= tls:simple
NS_LDAP_SEARCH_REF= FALSE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= tls_profile
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_BIND_TIME= 10
===========
It is blocking my entire work, could you please help me correcting this
issue.
Let me know if you need any more information
Regards
Moin
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list