Package: libpam-ldapd
Version: 0.7.12
Severity: normal
Hi,
I setup several machines with libpam-ldapd. I observed that, if I give the
wrong password the first time it is asked (for ssh connection, sudo, ...)
then I cannot log in even if I give the correct password at the second (and
third) try.
Example:
vdanj...@aya:~$ sudo su
[sudo] password for vdanjean: [WRONG PASS]
Sorry, try again.
[sudo] password for vdanjean: [CORRECT PASS]
sudo: pam_acct_mgmt: 7
Sorry, try again.
[sudo] password for vdanjean: [CORRECT PASS]
sudo: pam_acct_mgmt: 7
Sorry, try again.
sudo: 3 incorrect password attempts
vdanj...@aya:~$
or:
vdanj...@eyak:~$ ssh aya -l cbardel
cbar...@aya's password: [WRONG PASS]
Permission denied, please try again.
cbar...@aya's password: [CORRECT PASS]
Connection closed by 10.77.0.3
vdanj...@eyak:~$
Looking into the logs, it seems I'm refused due to the account pam stack (not
the auth pam stack) when I give the good password. Here are the logs in
/var/log/auth.log for the two previous examples:
[SSH connection]
Nov 20 17:21:31 aya sshd[32348]: pam_unix(sshd:auth): authentication failure;
logname= uid=0 euid=0 tty=ssh ruser= rhost=eyak.vpn.danjean.fr user=cbardel
Nov 20 17:21:31 aya sshd[32348]: pam_ldap(sshd:auth): Authentication failure;
user=cbardel
Nov 20 17:21:33 aya sshd[32348]: Failed password for cbardel from 10.77.2.254
port 40461 ssh2
Nov 20 17:21:35 aya sshd[32348]: pam_ldap(sshd:account): ; user=cbardel
Nov 20 17:21:35 aya sshd[32348]: Failed password for cbardel from 10.77.2.254
port 40461 ssh2
[Sudo invocation]
Nov 20 17:22:17 aya sudo: pam_unix(sudo:auth): authentication failure;
logname=vdanjean uid=0 euid=0 tty=/dev/pts/7 ruser=vdanjean rhost=
user=vdanjean
Nov 20 17:22:17 aya sudo: pam_ldap(sudo:auth): Échec d'authentification;
user=vdanjean
Nov 20 17:22:21 aya sudo: pam_ldap(sudo:account): ; user=vdanjean
Nov 20 17:22:21 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ;
PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
Nov 20 17:22:27 aya sudo: pam_ldap(sudo:account): ; user=vdanjean
Nov 20 17:22:27 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ;
PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
Nov 20 17:22:27 aya sudo: vdanjean : 3 incorrect password attempts ; TTY=pts/7
; PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su
I do not have these problems for local account (and I log in correctly if I
give the good password at the first try for ldap accounts)
/etc/pam.d/common-auth is (removing comment lines):
auth [success=2 default=ignore] pam_unix.so nullok_secure
auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000
use_first_pass
auth requisite pam_deny.so
auth required pam_permit.so
/etc/pam.d/common-account is (removing comment lines):
account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so
account requisite pam_deny.so
account required pam_permit.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore
authinfo_unavail=ignore default=bad] pam_ldap.so minimum_uid=1000
Do you know what happens ?
Regards,
Vincent
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1,
'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libpam-ldapd depends on:
ii debconf [debconf-2.0] 1.5.36 Debian configuration management sy
ii libc6 2.11.2-7 Embedded GNU C Library: Shared lib
ii libpam-runtime 1.1.1-6.1 Runtime support for the PAM librar
ii libpam0g 1.1.1-6.1 Pluggable Authentication Modules l
ii nslcd 0.7.12 Daemon for NSS and PAM lookups usi
libpam-ldapd recommends no packages.
libpam-ldapd suggests no packages.
-- debconf information:
libpam-ldapd/enable_shadow: true
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
