El Wed, Feb 01, 2006 at 07:07:11AM +0100, Jonas Liljenfeldt va escriure: > Hello all, > > I run Debian Sarge and I have a problem with my SSH server (in > combination with password authentication and LDAP). It doesn't work > well with password authentication when I try to login as a LDAP user > but it works well for users in /etc/passwd. If I try to login as a LDAP > user via SSH and keyboard interactive as autentication mechanism it > works good. > > In /etc/nsswith I have: > > passwd: files ldap > group: files ldap > shadow: files ldap > hosts: files dns > networks: files > protocols: db files > services: db files > #services compat ldap > ethers: db files > rpc: db files > netgroup: nis I had similar problems on a Sarge systems and found that with the following nsswitch.conf: --*-- BEG: /etc/nsswitch.conf --*-- # /etc/nsswitch.conf # # Note that we have set the option 'UNAVAIL=return' for ldap and dns queries; # that way when the server can't be reached the system goes a lot faster, as # we don't need to wait for timeouts. # # That is specially important when using a system with udev, as it starts up # before enabling the network connections and does a lot of user and group # lookups when booting, making it look like broken when booting without the # unavail option enabled (the program prints nothing while waits for 6 or 7 # lookup timeouts). passwd: files ldap [UNAVAIL=return] group: files ldap [UNAVAIL=return] shadow: files ldap [UNAVAIL=return] hosts: files dns [UNAVAIL=return] networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis --*-- END: /etc/nsswitch.conf --*-- `getent passwd` and `getent group` work as expected and with the following pam.d configuration files: --*-- BEG: /etc/pam.d/common-account --*-- # /etc/pam.d/common-account - authorization settings common to all services account sufficient pam_unix.so account required pam_ldap.so --*-- END: /etc/pam.d/common-account --*-- --*-- BEG: /etc/pam.d/common-auth --*-- # /etc/pam.d/common-auth - authentication settings common to all services auth [success=1 default=ignore] pam_unix.so nullok_secure auth required pam_ldap.so use_first_pass auth required pam_permit.so --*-- END: /etc/pam.d/common-auth --*-- --*-- END: /etc/pam.d/common-password --*-- # /etc/pam.d/common-password - password-related modules common to all services password required pam_unix.so nullok obscure min=4 max=8 md5 --*-- END: /etc/pam.d/common-password --*-- --*-- BEG: /etc/pam.d/common-session --*-- # /etc/pam.d/common-session - authentication settings common to all services session required pam_unix.so --*-- END: /etc/pam.d/common-session --*-- the local users and the ones defined on LDAP work OK for all services (note that I don't use LDAP on the session module nor the password module, the last one because on my systems the LDAP users are supossed to change their passwords using smbldap-password, not the systems password command). Hope that it helps. Greetings, Sergio. -- Sergio Talens-Oliag <sto@debian.org> <http://people.debian.org/~sto/> Key fingerprint = 29DF 544F 1BD9 548C 8F15 86EF 6770 052B B8C1 FA69
Attachment:
signature.asc
Description: Digital signature