I can see this log from audit.log when try to login type=CRYPTO_KEY_USER msg=audit(1482399412.824:11835): pid=23100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=61:0c:5a:cd:1e:e1:56:a0:b7:b4:5d:65:42:79:45:97 direction=? spid=23100 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1482399412.825:11836): pid=23100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=80:86:05:ef:8e:78:53:61:f0:4a:f0:f4:7a:0c:c5:1c direction=? spid=23100 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_KEY_USER msg=audit(1482399412.825:11837): pid=23100 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=29:c8:51:46:13:ea:ab:6b:1a:c1:95:07:60:73:a2:6a direction=? spid=23100 suid=0 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1482399412.833:11838): pid=23099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-server [email protected] ksize=512 mac= [email protected] spid=23100 suid=74 rport=50693 laddr=10.10.10.35 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=CRYPTO_SESSION msg=audit(1482399412.833:11839): pid=23099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=start direction=from-client [email protected] ksize=512 mac= [email protected] spid=23100 suid=74 rport=50693 laddr=10.10.10.35 lport=22 exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=? res=success' type=USER_AUTH msg=audit(1482399412.928:11840): pid=23099 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="luo.lu" exe="/usr/sbin/sshd" hostname=? addr=10.31.0.113 terminal=ssh res=failed'
2016-12-22 15:46 GMT+08:00 Frank Yu <[email protected]>: > Hi Dan, > > Thanks for your info. > Now I have openldap server setup on host dc001, and I > install nss-pam-ldapd-0.8.13-8.el7.x86_64 on client dc005. > > And I configure system-auth/nsswitch.conf/nslcd.conf on dc005 as below: > > *# cat /etc/pam.d/system-auth* > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > auth required pam_env.so > auth [default=1 success=ok] pam_localuser.so > auth [success=done ignore=ignore default=die] pam_unix.so nullok > try_first_pass > auth requisite pam_succeed_if.so uid >= 1000 quiet_success > auth sufficient pam_ldap.so > auth required pam_deny.so > > account required pam_unix.so broken_shadow > account sufficient pam_localuser.so > account sufficient pam_succeed_if.so uid < 1000 quiet > account [default=bad success=ok user_unknown=ignore] pam_ldap.so > account required pam_permit.so > > password requisite pam_pwquality.so try_first_pass local_users_only > retry=3 authtok_type= > password sufficient pam_unix.so sha512 nullok try_first_pass > use_authtok > password sufficient pam_ldap.so use_authtok > password required pam_deny.so > > session optional pam_keyinit.so revoke > session required pam_limits.so > -session optional pam_systemd.so > session [success=1 default=ignore] pam_succeed_if.so service in crond > quiet use_uid > session required pam_unix.so > session optional pam_ldap.so > > *nsswitch.conf was configured as below:* > > # egrep -v ^# /etc/nsswitch.conf > > > passwd: files ldap > shadow: files ldap > group: files ldap > > hosts: files dns > > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: files sss > > publickey: nisplus > > automount: files sss > aliases: files nisplus > > *nslcd.conf was configured as below:* > > # egrep -v ^# /etc/nslcd.conf > > uri ldap://10.9.1.61:389 > base dc=hosso,dc=cc > uid nslcd > gid ldap > > ssl no > tls_cacertdir /etc/openldap/cacerts > > and I have a user on ldap server as below: > > dn: cn=luo.lu,ou=regular,dc=hosso,dc=cc > cn: luo.lu > displayname: luo.lu > employeenumber: 10138 > employeetype: regular > gidnumber: 501 > givenname: luo > homedirectory: /home/luo.lu > loginshell: /bin/bash > mail: [email protected] > objectclass: inetOrgPerson > objectclass: posixAccount > sn: lu > uid: luo.lu > uidnumber: 10138 > userpassword: test > > > when I try to login dc005 with user luo.lu from local, I get below log > from /var/log/slapd/slapd.log on dc001. > > > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=21 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SRCH attr=uid uidNumber > Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=22 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu,ou=regular, > dc=hosso,dc=cc)))" > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SRCH attr=memberUid cn > gidNumber member > Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: > (memberUid) not indexed > Dec 22 15:26:00 dc001 slapd[17164]: <= bdb_equality_candidates: (member) > not indexed > Dec 22 15:26:00 dc001 slapd[17164]: conn=1001 op=23 SEARCH RESULT tag=101 > err=0 nentries=0 text= > > > Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:04 dc001 slapd[17164]: conn=1003 op=33 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:04 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:04 dc001 slapd[17164]: conn=1002 op=35 SEARCH RESULT tag=101 > err=0 nentries=1 text= > > > when I ssh dc005 with root, then su to luo.lu(yes, it can be done) I get > below log: > > > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=34 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SRCH attr=uid uidNumber > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=24 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixGroup)(|(memberUid=luo.lu)(member=cn=luo.lu,ou=regular, > dc=hosso,dc=cc)))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SRCH attr=memberUid cn > gidNumber member > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: > (memberUid) not indexed > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (member) > not indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1001 op=25 SEARCH RESULT tag=101 > err=0 nentries=0 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1005 op=30 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=35 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1002 op=36 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1000 op=20 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=36 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uidNumber=10138))" > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:11 dc001 slapd[17164]: <= bdb_equality_candidates: > (uidNumber) not indexed > Dec 22 15:26:11 dc001 slapd[17164]: conn=1003 op=37 SEARCH RESULT tag=101 > err=0 nentries=1 text= > Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH > base="dc=hosso,dc=cc" scope=2 deref=0 filter="(&(objectClass= > posixAccount)(uid=luo.lu))" > Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SRCH attr=loginShell > cn gidNumber uidNumber objectClass homeDirectory gecos uid > Dec 22 15:26:13 dc001 slapd[17164]: <= bdb_equality_candidates: (uid) not > indexed > Dec 22 15:26:13 dc001 slapd[17164]: conn=1002 op=37 SEARCH RESULT tag=101 > err=0 nentries=1 text= > > > > Can you help take a look? Great thanks. it confused me for long time > > > 2016-12-20 1:01 GMT+08:00 Dan White <[email protected]>: > >> On 12/18/16 18:40 +0800, Frank Yu wrote: >> >>> I have setup a LDAP service on host A, and configure ldap client on host >>> B. >>> when I tried to login host B with user which already added in LDAP >>> server, >>> it report error even through I enter right passwd >>> >>> [email protected]'s password: >>> debug3: send packet: type 50 >>> debug2: we sent a password packet, wait for reply >>> debug3: receive packet: type 51 >>> debug1: Authentications that can continue: >>> publickey,gssapi-keyex,gssapi-with-mic,password >>> Permission denied, please try again. >>> [email protected]'s password: >>> debug3: send packet: type 50 >>> debug2: we sent a password packet, wait for reply >>> debug3: receive packet: type 51 >>> debug1: Authentications that can continue: >>> publickey,gssapi-keyex,gssapi-with-mic,password >>> Permission denied, please try again. >>> [email protected]'s password:" >>> >>> and, I can su to user shanzhi.yu on host B >>> >>> [root@ >>> host B >>> ~]# su shanzhi.yu >>> [shanzhi.yu@ >>> host B >>> root]$ cd >>> [shanzhi.yu@ >>> host B >>> ~]$ >>> >> >> There are too many missing variables to give you specific advice. General >> trouble shooting steps would include: >> >> 1) Enable server side (ssh) debugging to glean additional insight into the >> problem. >> >> 2) Verify your ssh server config has pam enabled (assuming you're using an >> ldap based pam module). >> >> 3) And if you are depending on pam to perform authentication, verify your >> pam config with pamtester. Consult your pam ldap module documentation as >> pam tends to be one of the more complicated parts of this type of setup. >> >> > > > -- > Regards > Frank Yu > -- Regards Frank Yu
