Environment: new install of openSUSE 13.1 into a internal network of mostly 10.2 and 10.3 openSUSE. LDAP server (@(#) $OpenLDAP: slapd 2.3.19 (Jul 28 2006 17:00:02)
) running on SUSE LE 10 .
Attempting to configure new 13.1 ldap client host ("main") using nss_ldap and pam_ldap (i.e., not using the SSSD). All older clients working fine w/ LDAP server.
Get following error when ssh to new host "main" (some info obsured) from older host "test":
Sep 19 11:17:43 main sshd[10460]: Invalid user XXX from 10.3.0.72
Sep 19 11:17:43 main sshd[10460]: input_userauth_request: invalid user XXX [preauth]
Sep 19 11:17:43 main sshd[10460]: Postponed keyboard-interactive for invalid user XXX from 10.3.0.72 port 57170 ssh2 [preauth]
Sep 19 11:17:47 main sshd[10462]: pam_ldap: error trying to bind as user "uid=XXX,ou=people,dc=XXX,dc=YYYY,dc=org" (Invalid credentials)
Sep 19 11:17:47 main sshd[10460]: error: PAM: Authentication failure for illegal user XXX from test.blah.org
- getent passwd XXX — returns nothing
- getent group GGG – returns the ldap group info for known group GGG
main:/etc # ldapsearch -x -L -u -t "(uid=XXX)"
– returns the LDAP info on user XXX
My /etc/pam.d/common-password is:
password requisite pam_pwcheck.so nullok cracklib remember=
password sufficient pam_unix2.so use_authtok nullok
password required pam_ldap.so try_first_pass use_authtok
My /etc/pam.d/common-auth is:
auth required pam_env.so
auth sufficient pam_unix2.so
auth required pam_ldap.so use_first_pass
What am I missing/forgetting?
Best Answer
Got resolution by adding "+::::::" to end of local files (passwd & shadow) --- now able to ssh to ldap-based accounts from the new openSUSE 13.1 host...but there surely must be something within my pams that is still wrong and this is just a kludge (?) Or does the openSUSE 13.1 install incorrectly not add that ending tag to the file?