error in auth.log but can login; LDAP/PAM Unicorn Meta Zoo #1: Why another podcast? Announcing the arrival of Valued Associate #679: Cesar Manara Come Celebrate our 10 Year Anniversary!LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingUbuntu LDAP Make Home DirectoryLoggin in ssh server: Permission denied, please try againpasswd for ldap usersLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyPAM LDAP authentication restrictionHow does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?Need help understanding PAM directivesDifferent “RequiredAuthentications2” for sshd and sftp subsystemSLES12, Authentication with PAM and LDAP
Would reducing the reference voltage of an ADC have any effect on accuracy?
Multiple options vs single option UI
Will I lose my paid in full property
Does Feeblemind produce an ongoing magical effect that can be dispelled?
Married in secret, can marital status in passport be changed at a later date?
c++ diamond problem - How to call base method only once
Are all CP/M-80 implementations binary compatible?
Reattaching fallen shelf to wall?
How can I wire a 9-position switch so that each position turns on one more LED than the one before?
Expansion//Explosion and Siren Stormtamer
Is accepting an invalid credit card number a security issue?
Israeli soda type drink
Why does the Cisco show run command not show the full version, while the show version command does?
finding a tangent line to a parabola
Where did Arya get these scars?
Arriving in Atlanta after US Preclearance in Dublin. Will I go through TSA security in Atlanta to transfer to a connecting flight?
Why did C use the -> operator instead of reusing the . operator?
Is there any hidden 'W' sound after 'comment' in : Comment est-elle?
What was Apollo 13's "Little Jolt" after MECO?
What is /etc/mtab in Linux?
A strange hotel
France's Public Holidays' Puzzle
How to not starve gigantic beasts
How would this chord from "Rocket Man" be analyzed?
error in auth.log but can login; LDAP/PAM
Unicorn Meta Zoo #1: Why another podcast?
Announcing the arrival of Valued Associate #679: Cesar Manara
Come Celebrate our 10 Year Anniversary!LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingUbuntu LDAP Make Home DirectoryLoggin in ssh server: Permission denied, please try againpasswd for ldap usersLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyPAM LDAP authentication restrictionHow does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?Need help understanding PAM directivesDifferent “RequiredAuthentications2” for sshd and sftp subsystemSLES12, Authentication with PAM and LDAP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
add a comment |
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
add a comment |
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
62
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
add a comment |
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
add a comment |
1 Answer
1
active
oldest
votes
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f317217%2ferror-in-auth-log-but-can-login-ldap-pam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
add a comment |
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
add a comment |
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
1012
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f317217%2ferror-in-auth-log-but-can-login-ldap-pam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49