[Bug 2340] New: Openssh issue: unable to ssh the solaris server from ldap users

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Thu Jan 22 00:50:48 AEDT 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2340

            Bug ID: 2340
           Summary: Openssh issue: unable to ssh the solaris server from
                    ldap users
           Product: Portable OpenSSH
           Version: 5.8p1
          Hardware: Sparc
                OS: Solaris
            Status: NEW
          Severity: critical
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sultankhan4u at gmail.com

Hi,



I am unable to ssh the solaris server from the ldap users. 

For every attempt  getting below error in adm messages, 
sshd[19250]: [ID 800047 auth.error] error: PAM: System error for
axadmin



Open ssh package:



pkginfo -l SMCossh

   PKGINST:  SMCossh

      NAME:  openssh

  CATEGORY:  application

      ARCH:  sparc

   VERSION:  5.8p1

   BASEDIR:  /usr/local

    VENDOR:  The OpenSSH Group

    PSTAMP:  Steve Christensen

  INSTDATE:  Jan 19 2015 12:00

     EMAIL:  steve at smc.vnet.net

    STATUS:  completely installed

     FILES:      101 installed pathnames

                  10 shared pathnames

                  19 directories

                  21 executables

                4768 blocks used (approx)



nssswitch.conf 

:/root !ksh cat /etc/nsswitch.conf 
# 
# /etc/nsswitch.ldap: 
# 
# An example file that could be copied over to /etc/nsswitch.conf; it 
# uses LDAP in conjunction with files. 
# 
# "hosts:" and "services:" in this file are used only if the 
# /etc/netconfig file has a "-" for nametoaddr_libs of "inet"
transports. 

# the following two lines obviate the "+" entry in /etc/passwd and
/etc/group. 
passwd: files ldap 
group: files ldap 

# consult /etc "files" only if ldap is down. 
hosts: files ldap 
# Note that IPv4 addresses are searched for in all of the ipnodes
databases 
# before searching the hosts databases. 
ipnodes: files 

networks: files 
protocols: files 
rpc: files 
ethers: files 
netmasks: files 
bootparams: files 
publickey: files 

netgroup: files 

automount: files 
aliases: files 

# for efficient getservbyname() avoid ldap 
services: files 

printers: user files ldap 

auth_attr: files 
prof_attr: files 

project: files 
========================================= 

ldaplist -l passwd axadmin 

=================
 :/root !ksh ldaplist -l passwd axadmin 
dn: uid=axadmin,ou=People,dc=evolium,dc=com 
uid: axadmin 
cn: axadmin 
sn: axadmin 
gidNumber: 1001 
gecos: Axadmin 
homeDirectory: /alcatel/var/home/axadmin 
loginShell: /bin/bash 
radiusFilterId: noAccessGroup 
objectClass: top 
objectClass: account 
objectClass: radiusprofile 
objectClass: person 
objectClass: inetOrgPerson 
objectClass: organizationalPerson 
objectClass: posixAccount 
objectClass: shadowaccount 
uidNumber: 2500



cat /etc/pam.conf 
# 
#ident "@(#)pam.conf 1.20 02/01/23 SMI" 
# 
# Copyright 1996-2002 Sun Microsystems, Inc. All rights reserved. 
# Use is subject to license terms. 
# 
# PAM configuration 
# 
# Unless explicitly defined, all services use the modules 
# defined in the "other" section. 
# 
# Modules are defined with relative pathnames, i.e., they are 
# relative to /usr/lib/security/$ISA. Absolute path names, as 
# present in this file in previous releases are still acceptable. 
# 
# Authentication management 
# 
# login service (explicit because of pam_dial_auth) 
# 
login auth requisite pam_authtok_get.so.1 
login auth required pam_dhkeys.so.1 
login auth required pam_unix_cred.so.1 
login auth binding pam_unix_auth.so.1 server_policy debug 
login auth required pam_ldap.so.1 use_first_pass debug 


# 
# rlogin service (explicit because of pam_rhost_auth) 
# 
rlogin auth sufficient pam_rhosts_auth.so.1 
rlogin auth requisite pam_authtok_get.so.1 
rlogin auth required pam_dhkeys.so.1 
rlogin auth required pam_unix_cred.so.1 
rlogin auth binding pam_unix_auth.so.1 server_policy 
rlogin auth required pam_ldap.so.1 use_first_pass 


# 
# rsh service (explicit because of pam_rhost_auth, 
# and pam_unix_auth for meaningful pam_setcred) 
# 
rsh auth sufficient pam_rhosts_auth.so.1 
rsh auth required pam_unix_cred.so.1 
rsh auth required pam_unix_auth.so.1 

# 
# Default definitions for Authentication management 
# Used when service name is not explicitly mentioned for
authenctication 
# 

other auth requisite pam_authtok_get.so.1 
other auth required pam_dhkeys.so.1 
other auth optional pam_unix_cred.so.1 
other auth binding pam_unix_auth.so.1 server_policy 
other auth required pam_ldap.so.1 use_first_pass 



# 
# passwd command (explicit because of a different authentication
module) 
# 
passwd auth binding pam_passwd_auth.so.1 server_policy 
passwd auth required pam_ldap.so.1 
# 
# cron service (explicit because of non-usage of pam_roles.so.1) 
# 

cron auth required pam_bypass.so 
cron account required pam_bypass.so 

#sshd account required pam_unix_account.so.1 
#RCA: FR: 3BKA32FBR276068 
sshd account binding pam_unix_account.so.1 server_policy 
sshd account required pam_ldap.so.1 

# 
# Default definition for Account management 
# Used when service name is not explicitly mentioned for account
management 
# 
other account binding pam_unix_account.so.1 server_policy 
other account required pam_ldap.so.1 


# 
# Default definition for Session management 
# Used when service name is not explicitly mentioned for session
management 
# 
other session required pam_unix_session.so.1 
# 
# Default definition for Password management 
# Used when service name is not explicitly mentioned for password
management 
# 
other password required pam_dhkeys.so.1 
other password requisite pam_authtok_get.so.1 
other password requisite pam_authtok_check.so.1 
other password required pam_authtok_store.so.1 server_policy 



ksh uname -a 
SunOS V01 5.10 Generic_150400-15 sun4u sparc SUNW,SPARC-Enterprise 
===== 


 ldapclient list 
NS_LDAP_FILE_VERSION= 2.0 
NS_LDAP_BINDDN= cn=proxyagent,ou=profile,dc=evolium,dc=com 
NS_LDAP_BINDPASSWD= {NS1}ecc423aad0 
NS_LDAP_SERVERS= V01 
NS_LDAP_SEARCH_BASEDN= dc=evolium,dc=com 
NS_LDAP_AUTH= tls:simple 
NS_LDAP_SEARCH_REF= FALSE 
NS_LDAP_SEARCH_SCOPE= one 
NS_LDAP_SEARCH_TIME= 30 
NS_LDAP_CACHETTL= 43200 
NS_LDAP_PROFILE= tls_profile 
NS_LDAP_CREDENTIAL_LEVEL= proxy 
NS_LDAP_BIND_TIME= 10 
=========== 



It is blocking my entire work, could you please help me correcting this
issue.
Let me know if you need any more information





Regards

Moin

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list