On 20/11/2010 20:37, Arthur de Jong wrote: > On Sat, 2010-11-20 at 17:26 +0100, Vincent Danjean wrote: >> I setup several machines with libpam-ldapd. I observed that, if I give the >> wrong password the first time it is asked (for ssh connection, sudo, ...) >> then I cannot log in even if I give the correct password at the second (and >> third) try. > > I'm unable to reproduce this at this time. > > Can you include nslcd debugging output (/etc/init.d/nslcd stop;nscd -d) > while running the command ? > > You could also add the debug statement to the pam_ldap PAM module to > give more debugging info.
I added "debug" for pam_ldap.so into the 5 common-* files in /etc/pam.d Then, I started "nslcd -d" And then I type "sudo su" Here what I get in /var/log/auth.log: [after the first wrong password] Nov 21 22:11:30 aya sudo: pam_unix(sudo:auth): authentication failure; logname=vdanjean uid=0 euid=0 tty=/dev/pts/7 ruser=vdanjean rhost= user=vdanjean Nov 21 22:11:30 aya sudo: pam_ldap(sudo:auth): nslcd authentication; user=vdanjean Nov 21 22:11:30 aya sudo: pam_ldap(sudo:auth): Échec d'authentification; user=vdanjean [after the second correct password] Nov 21 22:11:42 aya sudo: pam_ldap(sudo:account): nslcd authorisation; user=vdanjean Nov 21 22:11:42 aya sudo: pam_ldap(sudo:account): ; user=vdanjean Nov 21 22:11:42 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ; PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su [after the third correct password] Nov 21 22:11:49 aya sudo: pam_ldap(sudo:account): nslcd authorisation; user=vdanjean Nov 21 22:11:49 aya sudo: pam_ldap(sudo:account): ; user=vdanjean Nov 21 22:11:49 aya sudo: vdanjean : pam_acct_mgmt: 7 ; TTY=pts/7 ; PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su Nov 21 22:11:49 aya sudo: vdanjean : 3 incorrect password attempts ; TTY=pts/7 ; PWD=/home/vdanjean ; USER=root ; COMMAND=/bin/su And, "nslcd -d" output: nslcd: DEBUG: add_uri(ldap://ldap.danjean.fr/) nslcd: version 0.7.12 starting nslcd: DEBUG: unlink() of /var/run/nslcd/socket failed (ignored): No such file or directory nslcd: DEBUG: setgroups(0,NULL) done nslcd: DEBUG: setgid(136) done nslcd: DEBUG: setuid(125) done nslcd: accepting connections [after the command and the first wrong password] nslcd: [334873] DEBUG: connection from pid=31677 uid=0 gid=2001 nslcd: [334873] DEBUG: nslcd_pam_authc("vdanjean","","sudo","***") nslcd: [334873] DEBUG: myldap_search(base="dc=danjean,dc=fr", filter="(&(objectClass=posixAccount)(uid=vdanjean))") nslcd: [334873] DEBUG: ldap_initialize(ldap://ldap.danjean.fr/) nslcd: [334873] DEBUG: ldap_set_rebind_proc() nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://ldap.danjean.fr/";) nslcd: [334873] DEBUG: myldap_search(base="cn=Vincent Danjean,ou=people,ou=Users,l=Grenoble,dc=danjean,dc=fr", filter="(objectClass=posixAccount)") nslcd: [334873] DEBUG: ldap_initialize(ldap://ldap.danjean.fr/) nslcd: [334873] DEBUG: ldap_set_rebind_proc() nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [334873] DEBUG: ldap_simple_bind_s("cn=Vincent Danjean,ou=people,ou=Users,l=Grenoble,dc=danjean,dc=fr","***") (uri="ldap://ldap.danjean.fr/";) nslcd: [334873] DEBUG: failed to bind to LDAP server ldap://ldap.danjean.fr/: Invalid credentials nslcd: [334873] DEBUG: ldap_unbind() nslcd: [334873] lookup of user cn=Vincent Danjean,ou=people,ou=Users,l=Grenoble,dc=danjean,dc=fr failed: Invalid credentials [after the second correct password] nslcd: [b0dc51] DEBUG: connection from pid=31677 uid=0 gid=2001 nslcd: [b0dc51] DEBUG: nslcd_pam_authz("vdanjean","cn=Vincent Danjean,ou=people,ou=Users,l=Grenoble,dc=danjean,dc=fr","sudo","vdanjean","","/dev/pts/7") [after the third correct password] nslcd: [495cff] DEBUG: connection from pid=31677 uid=0 gid=2001 nslcd: [495cff] DEBUG: nslcd_pam_authz("vdanjean","cn=Vincent Danjean,ou=people,ou=Users,l=Grenoble,dc=danjean,dc=fr","sudo","vdanjean","","/dev/pts/7") Log of nslcd when I type the correct password immediately: nslcd: [8e1f29] DEBUG: connection from pid=959 uid=0 gid=2001 nslcd: [8e1f29] DEBUG: nslcd_pam_authz("vdanjean","","sudo","vdanjean","","/dev/pts/9") nslcd: [8e1f29] DEBUG: myldap_search(base="dc=danjean,dc=fr", filter="(&(objectClass=posixAccount)(uid=vdanjean))") nslcd: [8e1f29] DEBUG: ldap_initialize(ldap://ldap.danjean.fr/) nslcd: [8e1f29] DEBUG: ldap_set_rebind_proc() nslcd: [8e1f29] DEBUG: ldap_set_option(LDAP_OPT_PROTOCOL_VERSION,3) nslcd: [8e1f29] DEBUG: ldap_set_option(LDAP_OPT_DEREF,0) nslcd: [8e1f29] DEBUG: ldap_set_option(LDAP_OPT_TIMELIMIT,0) nslcd: [8e1f29] DEBUG: ldap_set_option(LDAP_OPT_TIMEOUT,0) nslcd: [8e1f29] DEBUG: ldap_set_option(LDAP_OPT_NETWORK_TIMEOUT,0) nslcd: [8e1f29] DEBUG: ldap_set_option(LDAP_OPT_REFERRALS,LDAP_OPT_ON) nslcd: [8e1f29] DEBUG: ldap_set_option(LDAP_OPT_RESTART,LDAP_OPT_ON) nslcd: [8e1f29] DEBUG: ldap_simple_bind_s(NULL,NULL) (uri="ldap://ldap.danjean.fr/";) Let me know if you want more/other infos. >> Looking into the logs, it seems I'm refused due to the account pam >> stack (not the auth pam stack) when I give the good password. > > An LDAP server typically returns authentication result together with > authorisation results (result of a single bind). The authorisation > result is only evaluated on the account call. It could be that some > information is held on for some reason. Ok. My remark was due to the fact that /var/log/auth.log talk about sudo:auth after the first password and sudo:account after the second and third one. But this is probably due to the fact that the first password is wrong whereas the second and third are correct. [and indeed, this is the case: I tried with a wrong password the three times and /var/log/auth.log talks about sudo:auth three times] Regards, Vincent -- Vincent Danjean GPG key ID 0x9D025E87 vdanj...@debian.org GPG key fingerprint: FC95 08A6 854D DB48 4B9A 8A94 0BF7 7867 9D02 5E87 Unofficial packages: http://moais.imag.fr/membres/vincent.danjean/deb.html APT repo: deb http://people.debian.org/~vdanjean/debian unstable main -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
