OpenSSH public key problem with Solaris 10 and LDAP users?

Douglas E. Engert deengert at anl.gov
Tue Aug 14 23:10:40 EST 2007 

Does the Solaris 10 sshd work or fail the same way?


Alexander Skwar wrote:
> David Leonard <d at adaptive-enterprises.com.au> wrote:
> 
>> Alexander Skwar wrote:
>>> I've got a problem logging in to a Sparc Solaris 10 machine
>>> I guess the most important lines are these:
>>>
>>> debug3: PAM: do_pam_account pam_acct_mgmt = 9 (Authentication failed)
>>> [...]
>>> Access denied for user testme by PAM account configuration
>>>
>>> Why is PAM denying access?
>>>   
>> Hi, Alexander
>> See this post for information on enabling debug output from the pam
>> stack on Solaris:
>> http://mail.opensolaris.org/pipermail/ug-bosug/2006-July/000746.html
> 
> Whoops. My previous reply to your mail related to a different server.
> This time, I added
> 
> debug_flags = 0x17
> log_facility = 22
> log_priority = 7
> 
> to the /etc/pam_debug file on the correct server - still doesn't tell
> me much, though...
> 
> ,----[ PAM Debug Messages on correct server ]
> | ==> ./remote/winds06/auth/debug <==
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 783976 auth.debug] PAM[3078]: pam_start(sshd,testme,8c204:98e30) - debug = 1
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:service)
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:user)
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:conv)
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:rhost)
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:tty)
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 899056 auth.debug] PAM[3078]: pam_acct_mgmt(98e30, 0)
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 684966 auth.debug] PAM[3078]: load_modules(98e30, pam_sm_acct_mgmt)=/usr/lib/security/pam_roles.so.1
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 555781 auth.debug] PAM[3078]: load_function: successful load of pam_sm_acct_mgmt
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 684966 auth.debug] PAM[3078]: load_modules(98e30, pam_sm_acct_mgmt)=/usr/lib/security/pam_unix_account.so.1
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 555781 auth.debug] PAM[3078]: load_function: successful load of pam_sm_acct_mgmt
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 684966 auth.debug] PAM[3078]: load_modules(98e30, pam_sm_acct_mgmt)=/usr/lib/security/pam_ldap.so.1
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 555781 auth.debug] PAM[3078]: load_function: successful load of pam_sm_acct_mgmt
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 835736 auth.debug] __ns_ldap_getAcctMgmt() failed for testme with error 7
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 118913 auth.debug] PAM[3078]: pam_acct_mgmt(98e30, 0): error Authentication failed
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 262804 auth.debug] PAM[3078]: pam_set_item(98e30:authtok)
> | 
> | ==> ./remote/winds06/auth/warning <==
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 778364 auth.warning] libsldap: server 127.0.0.1 does not provide account information without password
> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 778364 auth.warning] libsldap: server 127.0.0.1 does not provide account information without password

These look strange. It might be the access rules in LDAP that is preventing an anonymous user from reading the account.
Is nscd running? It should be. Did you use the the Solaris ldapclient tool to configure LDAp on the client?
It should have started it. It will access LDAP using the proxy user and password.

> | Aug 14 14:22:12 winds06 sshd[3078]: [ID 293258 auth.warning] libsldap: Status: 7  Mesg: Session error no available conn.
> | 
> | ==> ./remote/winds06/local4/debug <==
> | Aug 14 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <= bdb_equality_candidates: (memberUid) index_param failed (18)
> | Aug 14 14:22:12 winds06 slapd[24115]: [ID 925615 local4.debug] <= bdb_equality_candidates: (uid) index_param failed (18)
> | Aug 14 14:22:12 winds06 slapd[24115]: [ID 580335 local4.debug] conn=1380 op=0 ENTRY dn="uid=testme,ou=people,ou=race,o=Example"
> `----
> 
> Hmm:
> 
> Aug 14 14:22:12 winds06 sshd[3078]: [ID 835736 auth.debug] __ns_ldap_getAcctMgmt() failed for testme with error 7
> 
> "error 7"? What's that?
> 
> Anyway. Still looks like PAM / LDAP issue. But what I don't get is, why
> I *am* able to login as some users with a pubkey. Any ideas about why
> that might be?
> 
> Strange.
> 
> Alexander Skwar
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the openssh-unix-dev mailing list