Unable to properly login with cached password using libpam-ccreds
I'm trying to setup my ldap clients to cache their passwords so they are able to login if the network connection to the ldap servers go down. All servers and clients are
running etch. But I'm having issues getting users to login successfully with a simulated ldap outtage. While the network is connected, the ldap user newuser is able to ssh
in just fine, I can see that the user's password is cached properly using cc_dump and testing with cc_test. I don't think it's a problem with me entering in the password
(its just 111111, as you can see with cc_test)
xxxxxx19:~/ldap# cc_dump
Credential Type User Service Cached Credentials
----------------------------------------------------------------------------------
Salted SHA1 newuser any 37955e15e8960ac751616ed1c631f18763806651
xxxxxx19:~/ldap# cc_test -validate any newuser 111111
pam_cc_validate_credentials: Success
xxxxxx19:~/ldap# cc_test -validate any newuser 11111a
pam_cc_validate_credentials: Authentication failure
The oddest part (which must point to pam issues methinks) is that the first login attempt will always fail, while the second attempt will always work
xxxxxx19:~/ldap# ssh newuser@localhost
newuser@localhost's password:
Permission denied, please try again.
newuser@localhost's password:
You have been logged on using cached credentials.
Linux xxxxxx19 2.6.24-etchnhalf.1-686-bigmem #1 SMP Tue Dec 2 08:50:08 UTC 2008 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Feb 27 14:28:36 2009 from localhost
newuser@xxxxxx19:~$
All cached nss functionality is there during ldap server downtime.
xxxxxx19:~/ldap# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
REJECT tcp -- anywhere anywhere tcp dpt:ldap reject-with icmp-port-unreachable
xxxxx19:~/ldap# id newuser
uid=1000(newuser) gid=1000(cfwos-user) groups=1000(test-user)
xxxxxx19:~/ldap# grep newuser /etc/passwd
xxxxxx19:~/ldap#
I've installed the following packages on the clients
nss-updatedb
libnss-db
libpam-ccreds
libpam-ldap
libnss-ldap
ldap-utils
Here are my pam configs.
newuser@xxxxxx19:~$ grep -v ^# /etc/pam.d/common-*|strings
/etc/pam.d/common-account:
/etc/pam.d/common-account:
/etc/pam.d/common-account:account sufficient pam_unix.so nullok_secure
/etc/pam.d/common-account:account sufficient pam_ldap.so
/etc/pam.d/common-account:account required pam_permit.so
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:
/etc/pam.d/common-auth:auth sufficient pam_unix.so
/etc/pam.d/common-auth:auth required pam_group.so use_first_pass
/etc/pam.d/common-auth:auth [authinfo_unavail=ignore success=1 default=die] pam_ldap.so use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=validate use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=store use_first_pass
/etc/pam.d/common-auth:auth [default=done] pam_ccreds.so action=update use_first_pass
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-password:password sufficient pam_ldap.so ignore_unknown_user
/etc/pam.d/common-password:password required pam_unix.so nullok obscure min=4 max=8 md5
/etc/pam.d/common-password:
/etc/pam.d/common-password:
/etc/pam.d/common-session:session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
/etc/pam.d/common-session:session required pam_unix.so
/etc/pam.d/common-session:session optional pam_ldap.so
newuser@xxxxxx19:~$ grep -v ^# /etc/pam.d/login |strings
auth requisite pam_securetty.so
auth requisite pam_nologin.so
session required pam_env.so readenv=1
session required pam_env.so readenv=1 envfile=/etc/default/locale
@include common-auth
auth optional pam_group.so
session required pam_limits.so
session optional pam_lastlog.so
session optional pam_motd.so
session optional pam_mail.so standard
@include common-account
@include common-session
@include common-password
And the libnss/pam_ldap configs
xxxxxx19:~/ldap# vc /etc/libnss-ldap.conf
base dc=xxx,dc=xx,dc=xx,dc=xx
uri ldap://xxxsrvr0.xxx.xx.xx.xx
uri ldap://xxxsrvr1.xxx.xx.xx.xx
ldap_version 3
rootbinddn cn=directory manager
bind_timelimit 2
bind_policy soft
pam_check_host_attr yes
pam_password exop
tls_cacertdir /etc/ldap/cacerts
xxxxxx19:~/ldap# vc /etc/pam_ldap.conf
base dc=xxx,dc=xx,dc=xx,dc=xx
uri ldap://xxxsrvr0.xxx.xx.xx.xx
uri ldap://xxxsrvr1.xxx.xx.xx.xx
ldap_version 3
rootbinddn cn=directory manager
pam_check_host_attr yes
pam_password exop
ssl start_tls
tls_cacertdir /etc/ldap/cacerts
Here is the log contents from auth.log
xxxxxx19:/var/log# grep 28664 auth.log.work |grep -v nss_ldap
Feb 27 14:51:18 xxxxxx19 sshd[28664]: pam_ldap: ldap_starttls_s: Can't contact LDAP server
Feb 27 14:51:20 xxxxxx19 sshd[28664]: Failed password for newuser from xxx.xx.xxx.247 port 44489 ssh2
Feb 27 14:51:36 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Feb 27 14:51:44 xxxxxx19 sshd[28664]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Feb 27 14:51:44 xxxxxx19 sshd[28664]: Accepted password for newuser from xxx.xx.xxx.247 port 44489 ssh2
xxxxxx19:/var/log#
(without a whole bunch of messages from nss_ldap about not being able to find the server)
Anyone have any ideas?
Ryan Braun
Informatics Operations
Aviation and Defence Services Division
Chief Information Officer Branch, Environment Canada
CIV: (204) 833-2500x2625 CSN: 257-2625 FAX: (204) 833-2524
E-Mail: Ryan.Braun@ec.gc.ca
Reply to: