OpenSSH public key problem with Solaris 10 and LDAP users?

[Alexander Skwar]

David Leonard <d at adaptive-enterprises.com.au> wrote:

> Alexander Skwar wrote:
>> I've got a problem logging in to a Sparc Solaris 10 machine
> 
>> I guess the most important lines are these:
>>
>> debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication failed)
>> [...]
>> Access denied for user testme by PAM account configuration
>>
>> Why is PAM denying access?
>>   
> 
> Hi, Alexander
> See this post for information on enabling debug output from the pam
> stack on Solaris:
> http://mail.opensolaris.org/pipermail/ug-bosug/2006-July/000746.html

Whoops. My previous reply to your mail related to a different server.
This time, I added

debug_flags = 0x17
log_facility = 22
log_priority = 7

to the /etc/pam_debug file on the correct server - still doesn't tell
me much, though...

,----[ PAM Debug Messages on correct server ]
| ==> ./remote/winds06/auth/debug <==
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 783976 auth.debug] PAM[3078]: pam_start(sshd,testme,8c204:98e30) - debug = 1
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:service)
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:user)
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:conv)
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:rhost)
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:tty)
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 899056 auth.debug] PAM[3078]: pam_acct_mgmt(98e30, 0)
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 684966 auth.debug] PAM[3078]: load_modules(98e30, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 555781 auth.debug] PAM[3078]: load_function: successful load of pam_sm_acct_mgmt
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 684966 auth.debug] PAM[3078]: load_modules(98e30, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 555781 auth.debug] PAM[3078]: load_function: successful load of pam_sm_acct_mgmt
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 684966 auth.debug] PAM[3078]: load_modules(98e30, pam_sm_acct_mgmt)=/usr/lib/security/pam_ldap.so.1
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 555781 auth.debug] PAM[3078]: load_function: successful load of pam_sm_acct_mgmt
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 835736 auth.debug] __ns_ldap_getAcctMgmt() failed for testme with error 7
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 118913 auth.debug] PAM[3078]: pam_acct_mgmt(98e30, 0): error Authentication failed
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:authtok)
| 
| ==> ./remote/winds06/auth/warning <==
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 778364 auth.warning] libsldap: server 127.0.0.1 does not provide account information without password
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 778364 auth.warning] libsldap: server 127.0.0.1 does not provide account information without password
| Aug 14 14:22:12 winds06 sshd[3078]: [ID 293258 auth.warning] libsldap: Status: 7  Mesg: Session error no available conn.
| 
| ==> ./remote/winds06/local4/debug <==
| Aug 14 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <= bdb_equality_candidates: (memberUid) index_param failed (18)
| Aug 14 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <= bdb_equality_candidates: (uid) index_param failed (18)
| Aug 14 14:22:12 winds06 slapd[24115]: [ID 580335 local4.debug] conn=1380 op=0 ENTRY dn="uid=testme,ou=people,ou=race,o=Example"
`----

Hmm:

Aug 14 14:22:12 winds06 sshd[3078]: [ID 835736 auth.debug] __ns_ldap_getAcctMgmt() failed for testme with error 7

"error 7"? What's that?

Anyway. Still looks like PAM / LDAP issue. But what I don't get is, why
I *am* able to login as some users with a pubkey. Any ideas about why
that might be?

Strange.

Alexander Skwar