From Bugzilla Helper: User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-TW; rv:1.7.6) Gecko/20050318 Firefox/1.0.2 Description of problem: When using pam_ldap to obtain account/group from LDAP server , It works in RHEL3 , but have some problems in RHEL 4. After config by "authconfig" , the server could be login by accounts in LDAP server from console and telnet-server , but not work from ssh. But after downgrade the openssh to the same versoin as RHEL3 used , everything works fine. Version-Release number of selected component (if applicable): openssh-server-3.9p1-8.RHEL4.1.i386 How reproducible: Always Steps to Reproduce: 1. set up pam_ldap and nss_ldap 2. make sure the server can obtain account by "getent passwd" Actual Results: login from console and telnet are ok , but ssh not work , always show "password incorrect". Expected Results: The server must be login by accounts in LDAP server from console/telnet/ssh . Additional info:
This must be some configuration problem. Could you please attach snippets from the /var/log/messages and /var/log/secure when you're trying to connect to the sshd?
Without any message in /var/log/messages , but only in /var/log/secure when I trying to ssh to the server , like this : May 24 01:14:48 OuTian-VM-AS4 sshd[2085]: Failed password for outian from ::ffff:192.168.147.1 port 2878 ssh2 But when I enable telnetd , It works with the same username/password from telnet. When I remove the openssh in RHEL 4 , and install previous version in RHEL3 ( of course , with some library ) , it works fine ! So I think it's the problem of openssh in RHEL 4 ?
Could you please attach your /etc/pam.d/system-auth and /etc/pam.d/sshd here?
After configure by "authconfig" , /etc/pam.d/system-auth : #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass auth required /lib/security/$ISA/pam_deny.so account required /lib/security/$ISA/pam_unix.so broken_shadow account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so account required /lib/security/$ISA/pam_permit.so password requisite /lib/security/$ISA/pam_cracklib.so retry=3 password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow password sufficient /lib/security/$ISA/pam_ldap.so use_authtok password required /lib/security/$ISA/pam_deny.so session required /lib/security/$ISA/pam_limits.so session required /lib/security/$ISA/pam_unix.so session optional /lib/security/$ISA/pam_ldap.so /etc/pam.d/sshd : #%PAM-1.0 auth required pam_stack.so service=system-auth auth required pam_nologin.so account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_stack.so service=system-auth
Could you please use the Issue Tracker to request solving the problem through the support?
Not enough information from reporter. I suppose there are some problems with account information stored in the ldap server.
(In reply to comment #6) > Not enough information from reporter. > I suppose there are some problems with account information stored in the ldap > server. > No , I don't think so . Because when I using RHEL 4 Update 1 , the problem was solved . anyway , still thank for you .