error in auth.log but can login; LDAP/PAM Announcing the arrival of Valued Associate #679:...
Is there a kind of relay only consumes power when switching?
Do jazz musicians improvise on the parent scale in addition to the chord-scales?
If my PI received research grants from a company to be able to pay my postdoc salary, did I have a potential conflict interest too?
What is the meaning of the simile “quick as silk”?
Would "destroying" Wurmcoil Engine prevent its tokens from being created?
How to Make a Beautiful Stacked 3D Plot
First console to have temporary backward compatibility
If a VARCHAR(MAX) column is included in an index, is the entire value always stored in the index page(s)?
How to show element name in portuguese using elements package?
How to compare two different files line by line in unix?
Closed form of recurrent arithmetic series summation
Crossing US/Canada Border for less than 24 hours
Is "Reachable Object" really an NP-complete problem?
Why are there no cargo aircraft with "flying wing" design?
Withdrew £2800, but only £2000 shows as withdrawn on online banking; what are my obligations?
8 Prisoners wearing hats
How to answer "Have you ever been terminated?"
How to find all the available tools in mac terminal?
Wu formula for manifolds with boundary
Do I really need recursive chmod to restrict access to a folder?
Is there such thing as an Availability Group failover trigger?
What does this Jacques Hadamard quote mean?
How do I make this wiring inside cabinet safer? (Pic)
Does classifying an integer as a discrete log require it be part of a multiplicative group?
error in auth.log but can login; LDAP/PAM
Announcing the arrival of Valued Associate #679: Cesar Manara
Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern)
Come Celebrate our 10 Year Anniversary!LDAP/NFS/PAM/AutoFS : mkhomedir PAM plugin faillingUbuntu LDAP Make Home DirectoryLoggin in ssh server: Permission denied, please try againpasswd for ldap usersLinux (Ubuntu vs CentOS) LDAP Client for 389-ds - password policyPAM LDAP authentication restrictionHow does changes in /etc/pam.d/common-session-noninteractive affect fail2ban and possibly other programs/services?Need help understanding PAM directivesDifferent “RequiredAuthentications2” for sshd and sftp subsystemSLES12, Authentication with PAM and LDAP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ height:90px;width:728px;box-sizing:border-box;
}
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
add a comment |
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
add a comment |
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
I have a server running OpenLDAP. When I start a ssh-session I can log in without problems, but an error appears in the logs. This only happens when I log in with a LDAP account (so not with a system account such as root). Any help to eliminate these errors would be much appreciated.
The relevant piece from /var/log/auth.log
sshd[6235]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=example.com user=peter
sshd[6235]: Accepted password for peter from 192.168.1.2 port 2441 ssh2
sshd[6235]: pam_unix(sshd:session): session opened for user peter by (uid=0)
pam common-session
session [default=1] pam_permit.so
session required pam_unix.so
session optional pam_ldap.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
pam common-auth
auth [success=1 default=ignore] pam_ldap.so
auth required pam_unix.so nullok_secure use_first_pass
auth required pam_permit.so
session required pam_mkhomedir.so skel=/etc/skel umask=0022 silent
auth sufficient pam_unix.so nullok_secure use_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_ldap.so
account [success=1 default=ignore] pam_unix.so
account required pam_unix.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
account sufficient pam_ldap.so
account sufficient pam_unix.so
ssh ldap pam
ssh ldap pam
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
asked Sep 30 '11 at 12:21
PeterPeter
62
62
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
bumped to the homepage by Community♦ 9 mins ago
This question has answers that may be good or bad; the system has marked it active so that they can be reviewed.
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
add a comment |
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49
add a comment |
1 Answer
1
active
oldest
votes
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "2"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f317217%2ferror-in-auth-log-but-can-login-ldap-pam%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
add a comment |
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
add a comment |
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
This error occurs because the pam_unix module is asked to check the password of an LDAP user, and of course fails. This failure is then ignored by your PAM config, but the module logs it anyway (and this can't be disabled).
However, your config looks quite strange to me. You are using each of pam_unix and pam_ldap twice, and I suggest you to clean this up. If you use only their first occurrences, the error message should go away (because pam_unix will be skipped for successfully authenticated LDAP users). However, I'm not sure what you wanted to achieve with the double checks and the pam_succeed_if line, so please be sure you know what you do when changing this config.
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
answered Jun 28 '12 at 7:45
Philipp WendlerPhilipp Wendler
1012
1012
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f317217%2ferror-in-auth-log-but-can-login-ldap-pam%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Post the relevant portion of the log file from the directory server.
– Terry Gardner
Sep 30 '11 at 14:49