FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 03-04-2009, 12:37 PM
Axel Werner
 
Default No more logins after upgrade to deb 5.0

Hello Debian Gurus!

I got a realy realy BAD problem after Upgrade from Debian 4.x Etch to
Debian 5.0 Lenny i was not able to resolve or even trace the source of
trouble. Maybe one of you guys can help me find the problem.



Problem:
After upgrading from Debian 4.x to 5.x without any further configuration
attempts my LDAP Authentication configuration fails. To be more
specific, only LDAP/SMB Users whos ldap password is expired are no more
able to login to console or via ssh. On SSH they will get an „Access
denied“ message, on console they get an „Login incorrect“.
If an LDAP Administrator resets that users password and/or as long their
ldap password is not expired the user can login anywhere just fine. If
his pw expired he is locked out again.
This behaviour is WRONG! With Debian 4.x this worked just fine with my
configuration (same as with debian 5.0).



Finding the BAD
I tried to find the problem myself, with no luck yet.
I compared both the /etc/ of the working debian4 and the no-more-working
debian 5 installation using diff. didnt found any „major“ changes that
would cause that behaviour, i would say.


This is all what is logged when trying to log in with an expired
password on debian 5.0 ( /var/log/auth.log )

################################################## ######
Mar 4 12:41:50 aw-deb40-srv sshd[3179]: pam_ldap: error trying to bind
as user "uid=smbuser1,ou=Users,dc=org" (Invalid credentials)
Mar 4 12:41:50 aw-deb40-srv sshd[3179]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser=
rhost=es20001.domain.de user=smbuser1
Mar 4 12:41:52 aw-deb40-srv sshd[3179]: Failed password for smbuser1
from 10.230.20.1 port 3160 ssh2

################################################## ######
there are no more logs! nothing in message or syslog.

And the Point is... THE USED CREDENTIALS ARE CORRECT!! Only the PW is
expired on LDAP + SAMBA.
now I did an experiment. As an LDAP Manager (aka rootdn) i gave that
specific user just the same Password as he had before. As i store all
LDAP PWs in cleartext i am able to see his old PW and just re-set it to
the same value. (all this cleartext stuff is for testing purposes! dont
panic)


Since his PW now is (the same as his old one but...) fresh and valid the
user can again log in and do his work until his new pw again expires.


so NO SIR! The Credentials are correct!! But WHY is pam_ldap complaining
????


Could you please HELP me to find the Problem ?

THANKS A LOT FOR ANY HELP!
regards
Axel



PS:

I attached my pam.d/* and other confs for further analysis. i would also
post my DIT as ldif if you like . just let me know.


################################################## ################



#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account sufficient pam_ldap.so
account required pam_unix.so use_first_pass
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_ldap.so
auth required pam_unix.so try_first_pass nullok_secure
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix

# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.

# password required pam_unix.so nullok obscure min=4 max=8 md5

# Alternate strength checking for password. Note that this
# requires the libpam-cracklib package to be installed.
# You will need to comment out the password line above and
# uncomment the next two in order to use this.
# (Replaces the `OBSCURE_CHECKS_ENAB', `CRACKLIB_DICTPATH')
#
password required pam_cracklib.so retry=3 minlen=8 difok=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0
#password required pam_ldap.so use_first_pass use_authtok
password optional pam_smbpass.so use_first_pass use_authtok
password optional pam_unix.so use_first_pass use_authtok nullok md5

#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_mkhomedir.so skel=/etc/skel umask=0066
session sufficient pam_ldap.so
session required pam_unix.so
# $OpenLDAP: pkg/ldap/libraries/libldap/ldap.conf,v 1.9 2000/09/04 19:57:01 kurt Exp $
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

#BASE dc=example, dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666

BASE dc=org
URI ldap://localhost

#SIZELIMIT 12
SIZELIMIT 0
TIMELIMIT 15
#DEREF never

TLS_CACERTDIR /etc/ssl/certs/

# MANUAL CONFIG !!!!! ###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure libnss-ldap to configure this file.
#
@(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1

# The distinguished name of the search base.
base dc=org

# Another way to specify your LDAP server is to provide an
uri ldap://localhost
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
# Please do not put double quotes around it as they
# would be included literally.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/libnss-ldap.secret (mode 600)
# Use 'echo -n "mypassword" > /etc/libnss-ldap.secret' instead
# of an editor to create the file.
############### rootbinddn cn=manager,dc=org

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy:
# hard_open: reconnect to DSA with exponential backoff if
# opening connection failed
# hard_init: reconnect to DSA with exponential backoff if
# initializing connection failed
# hard: alias for hard_open
# soft: return immediately on server failure
#bind_policy hard

# Connection policy:
# persist: DSA connections are kept open (default)
# oneshot: DSA connections destroyed after request
#nss_connect_policy persist

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Use paged rseults
#nss_paged_results yes

# Pagesize: when paged results enable, used to set the
# pagesize to a custom value
#pagesize 1000

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
#pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# Use backlinks for answering initgroups()
#nss_initgroups backlink

# Enable support for RFC2307bis (distinguished names in group
# members)
#nss_schema rfc2307bis

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# For pre-RFC2307bis automount schema
#nss_map_objectclass automountMap nisMap
#nss_map_attribute automountMapName nisMapName
#nss_map_objectclass automount nisObject
#nss_map_attribute automountKey cn
#nss_map_attribute automountInformation nisMapEntry

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

#
# The PAM configuration file for the Shadow `login' service
#

# Enforce a minimal delay in case of failure (in microseconds).
# (Replaces the `FAIL_DELAY' setting from login.defs)
# Note that other modules may require another minimal delay. (for example,
# to disable any delay, you should add the nodelay option to pam_unix)
auth optional pam_faildelay.so delay=3000000

# Outputs an issue file prior to each login prompt (Replaces the
# ISSUE_FILE option from login.defs). Uncomment for use
# auth required pam_issue.so issue=/etc/issue

# Disallows root logins except on tty's listed in /etc/securetty
# (Replaces the `CONSOLE' setting from login.defs)
auth [success=ok ignore=ignore user_unknown=ignore default=die] pam_securetty.so

# Disallows other than root logins when /etc/nologin exists
# (Replaces the `NOLOGINS_FILE' option from login.defs)
auth requisite pam_nologin.so

# This module parses environment configuration file(s)
# and also allows you to use an extended config
# file /etc/security/pam_env.conf.
#
# parsing /etc/environment needs "readenv=1"
session required pam_env.so readenv=1
# locale variables are also kept into /etc/default/locale in etch
# reading this file *in addition to /etc/environment* does not hurt
session required pam_env.so readenv=1 envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# This allows certain extra groups to be granted to a user
# based on things like time of day, tty, service, and user.
# Please edit /etc/security/group.conf to fit your needs
# (Replaces the `CONSOLE_GROUPS' option in login.defs)
auth optional pam_group.so

# Uncomment and edit /etc/security/time.conf if you need to set
# time restrainst on logins.
# (Replaces the `PORTTIME_CHECKS_ENAB' option from login.defs
# as well as /etc/porttime)
# account requisite pam_time.so

# Uncomment and edit /etc/security/access.conf if you need to
# set access limits.
# (Replaces /etc/login.access file)
# account required pam_access.so

# Sets up user limits according to /etc/security/limits.conf
# (Replaces the use of /etc/limits in old login)
session required pam_limits.so

# Prints the last login info upon succesful login
# (Replaces the `LASTLOG_ENAB' option from login.defs)
session optional pam_lastlog.so

# Prints the motd upon succesful login
# (Replaces the `MOTD_FILE' option in login.defs)
session optional pam_motd.so

# Prints the status of the user's mailbox upon succesful login
# (Replaces the `MAIL_CHECK_ENAB' option from login.defs).
#
# This also defines the MAIL environment variable
# However, userdel also needs MAIL_DIR and MAIL_FILE variables
# in /etc/login.defs to make sure that removing a user
# also removes the user's mail spool file.
# See comments in /etc/login.defs
session optional pam_mail.so standard

# SELinux needs to intervene at login time to ensure that the process
# starts in the proper default security context.
# Uncomment the following line to enable SELinux
# session required pam_selinux.so select_context

# Standard Un*x account and session
@include common-account
@include common-session
@include common-password
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.

# Original Einstellungen
#passwd: compat
#group: compat
#shadow: compat

# Angepasste Einstellungen für LDAP
passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis
#
# /etc/pam.d/other - specify the PAM fallback behaviour
#
# Note that this file is used for any unspecified service; for example
#if /etc/pam.d/cron specifies no session modules but cron calls
#pam_open_session, the session module out of /etc/pam.d/other is
#used. If you really want nothing to happen then use pam_permit.so or
#pam_deny.so as appropriate.

# We fall back to the system default in /etc/pam.d/common-*
#

@include common-auth
@include common-account
@include common-password
@include common-session
# ---------------------------------------------------------------------------#
# /etc/pam.conf #
# ---------------------------------------------------------------------------#
#
# NOTE
# ----
#
# NOTE: Most program use a file under the /etc/pam.d/ directory to setup their
# PAM service modules. This file is used only if that directory does not exist.
# ---------------------------------------------------------------------------#

# Format:
# serv. module ctrl module [path] ...[args..] #
# name type flag #

# MANUAL CONFIG !!!!! ###DEBCONF###
# the configuration of this file will be done by debconf as long as the
# first line of the file says '###DEBCONF###'
#
# you should use dpkg-reconfigure to configure this file
#
# @(#)$Id: ldap.conf,v 1.36 2005/03/23 08:29:59 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
#host 127.0.0.1

# The distinguished name of the search base.
base dc=org

# Another way to specify your LDAP server is to provide an
uri ldap://localhost
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=proxyuser,dc=padl,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw secret

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/pam_ldap.secret (mode 600)
############ rootbinddn cn=manager,dc=org

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
#timelimit 30

# Bind/connect timelimit
#bind_timelimit 30

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard

# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=account

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

# Specify a minium or maximum UID number allowed
#pam_min_uid 0
#pam_max_uid 0

# Template login attribute, default template user
# (can be overriden by value of former attribute
# in user's entry)
#pam_login_attribute userPrincipalName
#pam_template_login_attribute uid
#pam_template_login nobody

# HEADS UP: the pam_crypt, pam_nds_passwd,
# and pam_ad_passwd options are no
# longer supported.
#
# If you are using XAD, you can set pam_password
# to racf, ad, or exop. Make sure that you have
# SSL enabled.

# Do not hash the password at all; presume
# the directory server will do it, if
# necessary. This is the default.
pam_password clear

# Hash password locally; required for University of
# Michigan LDAP server, and works with Netscape
# Directory Server if you're using the UNIX-Crypt
# hash mechanism and not using the NT Synchronization
# service.
#pam_password crypt

# Remove old password first, then update in
# cleartext. Necessary for use with Novell
# Directory Services (NDS)
#pam_password clear_remove_old
#pam_password nds

# RACF is an alias for the above. For use with
# IBM RACF
#pam_password racf

# Update Active Directory password, by
# creating Unicode password and updating
# unicodePwd attribute.
#pam_password ad

# Use the OpenLDAP password change
# extended operation to update the password.
#pam_password exop

# Redirect users to a URL or somesuch on password
# changes.
#pam_password_prohibit_message Please visit http://internal to change your password.

# RFC2307bis naming contexts
# Syntax:
# nss_base_XXX base?scope?filter
# where scope is {base,one,sub}
# and filter is a filter to be &'d with the
# default filter.
# You can omit the suffix eg:
# nss_base_passwd ou=People,
# to append the default base DN but this
# may incur a small performance impact.
#nss_base_passwd ou=People,dc=padl,dc=com?one
#nss_base_shadow ou=People,dc=padl,dc=com?one
#nss_base_group ou=Group,dc=padl,dc=com?one
#nss_base_hosts ou=Hosts,dc=padl,dc=com?one
#nss_base_services ou=Services,dc=padl,dc=com?one
#nss_base_networks ou=Networks,dc=padl,dc=com?one
#nss_base_protocols ou=Protocols,dc=padl,dc=com?one
#nss_base_rpc ou=Rpc,dc=padl,dc=com?one
#nss_base_ethers ou=Ethers,dc=padl,dc=com?one
#nss_base_netmasks ou=Networks,dc=padl,dc=com?ne
#nss_base_bootparams ou=Ethers,dc=padl,dc=com?one
#nss_base_aliases ou=Aliases,dc=padl,dc=com?one
#nss_base_netgroup ou=Netgroup,dc=padl,dc=com?one

# attribute/objectclass mapping
# Syntax:
#nss_map_attribute rfc2307attribute mapped_attribute
#nss_map_objectclass rfc2307objectclass mapped_objectclass

# configure --enable-nds is no longer supported.
# NDS mappings
#nss_map_attribute uniqueMember member

# Services for UNIX 3.5 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount User
#nss_map_attribute uid msSFU30Name
#nss_map_attribute uniqueMember msSFU30PosixMember
#nss_map_attribute userPassword msSFU30Password
#nss_map_attribute homeDirectory msSFU30HomeDirectory
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_objectclass posixGroup Group
#pam_login_attribute msSFU30Name
#pam_filter objectclass=User
#pam_password ad

# configure --enable-mssfu-schema is no longer supported.
# Services for UNIX 2.0 mappings
#nss_map_objectclass posixAccount User
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid msSFUName
#nss_map_attribute uniqueMember posixMember
#nss_map_attribute userPassword msSFUPassword
#nss_map_attribute homeDirectory msSFUHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup Group
#nss_map_attribute cn msSFUName
#pam_login_attribute msSFUName
#pam_filter objectclass=User
#pam_password ad

# RFC 2307 (AD) mappings
#nss_map_objectclass posixAccount user
#nss_map_objectclass shadowAccount user
#nss_map_attribute uid sAMAccountName
#nss_map_attribute homeDirectory unixHomeDirectory
#nss_map_attribute shadowLastChange pwdLastSet
#nss_map_objectclass posixGroup group
#nss_map_attribute uniqueMember member
#pam_login_attribute sAMAccountName
#pam_filter objectclass=User
#pam_password ad

# configure --enable-authpassword is no longer supported
# AuthPassword mappings
#nss_map_attribute userPassword authPassword

# AIX SecureWay mappings
#nss_map_objectclass posixAccount aixAccount
#nss_base_passwd ou=aixaccount,?one
#nss_map_attribute uid userName
#nss_map_attribute gidNumber gid
#nss_map_attribute uidNumber uid
#nss_map_attribute userPassword passwordChar
#nss_map_objectclass posixGroup aixAccessGroup
#nss_base_group ou=aixgroup,?one
#nss_map_attribute cn groupName
#nss_map_attribute uniqueMember member
#pam_login_attribute userName
#pam_filter objectclass=aixAccount
#pam_password clear

# Netscape SDK LDAPS
#ssl on

# Netscape SDK SSL options
#sslpath /etc/ssl/certs/cert7.db

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
#ssl start_tls
#ssl on

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
# Default is to use libldap's default behavior, which can be configured in
# /etc/openldap/ldap.conf using the TLS_REQCERT setting. The default for
# OpenLDAP 2.0 and earlier is "no", for 2.1 and later is "yes".
#tls_checkpeer yes

# CA certificates for server certificate verification
# At least one of these are required if tls_checkpeer is "yes"
#tls_cacertfile /etc/ssl/ca.cert
#tls_cacertdir /etc/ssl/certs

# Seed the PRNG if /dev/urandom is not provided
#tls_randfile /var/run/egd-pool

# SSL cipher suite
# See man ciphers for syntax
#tls_ciphers TLSv1

# Client certificate and key
# Use these, if your server requires client authentication.
#tls_cert
#tls_key

# Disable SASL security layers. This is needed for AD.
#sasl_secprops maxssf=0

# Override the default Kerberos ticket cache location.
#krb5_ccname FILE:/etc/.ldapcache

# SASL mechanism for PAM authentication - use is experimental
# at present and does not support password policy control
#pam_sasl_mech DIGEST-MD5
#
# The PAM configuration file for the Shadow `passwd' service
#

@include common-password

@include common-auth
@include common-account
@include common-session
# This is the main slapd configuration file. See slapd.conf(5) for more
# info on the configuration options.

################################################## #####################
################################################## #####################
# Global Directives: #
################################################## #####################
################################################## #####################
# Features to permit
#allow bind_v2

# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/ppolicy.schema

include /etc/ldap/schema/samba.schema

# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid

# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args

# Read slapd.conf(5) for possible values
loglevel 0

################################################## #
# Where the dynamically loaded modules are stored #
################################################## #
modulepath /usr/lib/ldap
moduleload back_bdb
moduleload refint
moduleload unique
moduleload ppolicy

# The maximum number of entries that is returned for a search operation
sizelimit 500

# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 1


################################################## #####################
# SSL/TLS #
################################################## #####################
TLSCACertificatePath /etc/ssl/certs/
TLSCertificateFile /etc/ldap/aw-deb40-srv.cert.pem
TLSCertificateKeyFile /etc/ldap/aw-deb40-srv.key.pem


################################################## #####################
################################################## #####################
# Specific Backend Directives for bdb: #
################################################## #####################
################################################## #####################
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
backend bdb

################################################## #####################
# Specific Backend Directives for 'other':
################################################## #####################
# Backend specific directives apply to this backend until another
# 'backend' directive occurs
#backend <other>

################################################## #####################
################################################## #####################
# Specific Directives for database #1, of type bdb: #
################################################## #####################
################################################## #####################
# Database specific directives apply to this databasse until another
# 'database' directive occurs
database bdb

# The base of your directory in database #1
suffix "dc=org"
checkpoint 512 30

# Where the database file are physically stored for database #1
directory "/var/lib/ldap"

# For the Debian package we use 2MB as default but be sure to update this
# value if you have plenty of RAM
dbconfig set_cachesize 0 2097152 0

# Sven Hartge reported that he had to set this value incredibly high
# to get slapd running at all. See http://bugs.debian.org/303057
# for more information.

# Number of objects that can be locked at the same time.
dbconfig set_lk_max_objects 1500
# Number of locks (both requested and granted)
dbconfig set_lk_max_locks 1500
# Number of lockers
dbconfig set_lk_max_lockers 1500

################################################## #####################
# ROOT DN / LDAP MANAGER / SUPERUSER for this specific Database #
################################################## #####################
# rootdn directive for specifying a superuser on the database. This is needed
# for syncrepl.
rootdn "cn=manager,dc=org"
rootpw ldap

####################################
# Indexing options for database #1 #
####################################
index objectClass eq
index cn eq,sub

# Passwoerter werden im LDAP BASE-64 codiert gespeichert, sind jedoch standardmaessig NICHT verschluesselt.
# Passwoerter koennen jedoch verschluesselt werden. z.B. mit Hilfe von 'ldappasswd'.
# ldappasswd verwendet als standard die {SSHA} verschluesselung.
# Der 'password-hash' Parameter ist dazu da um ldappasswd und anderen crypto Programme Klartext-Passworte als
# Standardeinstellung vorzugeben.
# ACHTUNG: Es ist gut moeglich das ppolicy und pam_ldap etc NUR mit klartext-passworten zurecht kommen.
password-hash {CLEARTEXT}
#password-hash {SHA}

# Save the time that the entry gets modified, for database #1
lastmod on

# Where to store the replica logs for database #1
# replogfile /var/lib/ldap/replog


####################################
# Overlays + Directives #
####################################
overlay refint
refint_attributes member uniqueMember seeAlso
refint_nothing cn=EMPTY

overlay unique
unique_base dc=org
unique_attributes uid mail

overlay ppolicy
ppolicy_default cn=Standard,ou=pPolicies,dc=org
ppolicy_use_lockout
ppolicy_hash_cleartext

####################################
# ACL's #
####################################

# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only

access to attrs=userPassword,shadowLastChange,pwdHistory,sam baNTPassword,sambaLMPassword
by dn="uid=admin,dc=org" write
by anonymous auth
by self write
by * none

# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read

# The admin dn has full write access, everyone else
# can read everything.
access to *
by dn="uid=admin,dc=org" write
by * read
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Any line which starts with a ; (semi-colon) or a # (hash)
# is a comment and is ignored. In this example we will use a #
# for commentary and a ; for parts of the config file that you
# may wish to enable
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.
#

#======================= Global Settings =======================

[global]

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
workgroup = TEST

# server string is the equivalent of the NT Description field
#server string = %h server
server string = %h

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
wins support = yes

# Lokale SMB User
#add machine script = /usr/sbin/useradd -s /bin/false -d /var/lib/nobody -c 'Windows Machine' %u

# LDAP SMB User
add machine script = /usr/sbin/smbldap-useradd -t 0 -w "%u"

#############################################
inherit acls = yes
inherit owner = yes

#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
#log file = /var/log/samba/log.%m
log file = /var/log/samba/samba.log

# Put a capping on the size of the log files (in Kb).
max log size = 10000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
; syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# "security = user" is always a good idea. This will require a Unix account
# in this server for every user accessing the server. See
# /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/ServerType.html
# in the samba-doc package for details.
; security = user

# You may wish to use password encryption. See the section on
# 'encrypt passwords' in the smb.conf(5) manpage before enabling.
encrypt passwords = true

# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
#passdb backend = tdbsam

passdb backend = ldapsam:ldap://127.0.0.1
ldap suffix = dc=org
ldap machine suffix = ou=Users
ldap user suffix = ou=Users
ldap group suffix = ou=Groups
ldap admin dn = uid=admin,dc=org
ldap delete dn = no
ldap password sync = yes


obey pam restrictions = yes

guest account = nobody

#invalid users = root

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.

unix password sync = no

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan <<kahan@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
passwd program = /usr/bin/passwd %u
passwd chat = *EntersnewsUNIXspassword:* %n
*RetypesnewsUNIXspassword:* %n
*passwordsupdatedssuccessfully* .

check password script = /sbin/crackcheck -c -d /var/cache/cracklib/cracklib_dict

########## Domains ###########

# Is this machine able to authenticate users. Both PDC and BDC
# must have this setting enabled. If you are the BDC you must
# change the 'domain master' setting to no
#
domain logons = yes
#
# The following setting only takes effect if 'domain logons' is set
# It specifies the location of the user's profile directory
# from the client point of view)
# The following required a [profiles] share to be setup on the
# samba server (see below)
# logon path = \%Nprofiles\%U
# Another common choice is storing the profile in the user's home directory
# logon path = \%N\%Uprofile
logon path =

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
logon drive = H:
logon home=\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
#logon script = logon.cmd
# LOGIN SCRIPT = relative WINDOWS path to the global login script (windows path)
logon script = scriptslogon.cmd

########## Printing ##########

# If you want to automatically load your printer list rather
# than setting them up individually then you'll need this
; load printers = yes

# lpr(ng) printing. You may wish to override the location of the
# printcap file
; printing = bsd
; printcap name = /etc/printcap

# CUPS printing. See also the cupsaddsmb(8) manpage in the
# cupsys-client package.
; printing = cups
; printcap name = cups

# When using [print$], root is implicitly a 'printer admin', but you can
# also give this right to other users to add drivers and set printer
# properties
; printer admin = @ntadmin


############ Misc ############

# Most people will find that this option gives better performance.
# See smb.conf(5) and /usr/share/doc/samba-doc/htmldocs/Samba3-HOWTO/speed.html
# for details
# You may want to add the following on a Linux system:
# SO_RCVBUF=8192 SO_SNDBUF=8192
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192

# Domain Master specifies Samba to be the Domain Master Browser. If this
# machine will be configured as a BDC (a secondary logon server), you
# must set this to 'no'; otherwise, the default behavior is recommended.
domain master = auto

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
; idmap uid = 10000-20000
; idmap gid = 10000-20000
; template shell = /bin/bash
;
; The following was the default behaviour in sarge
; but samba upstream reverted the default because it might induce
; performance issues in large organizations
; See #368251 for some of the consequences of *not* having
; this setting and smb.conf(5) for all details
;
; winbind enum groups = yes
; winbind enum users = yes
idmap uid = 15000-20000
idmap gid = 15000-20000

#======================= Share Definitions =======================

[homes]
comment = Home Directories
browseable = no

# By default, the home directories are exported read-only. Change next
# parameter to 'yes' if you want to be able to write to them.
writable = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0700

# Restrict access to home directories
# to the one of the authenticated user
# This might need tweaking when using external authentication schemes
valid users = %S

# Un-comment the following and create the netlogon directory for Domain Logons
# (you need to configure Samba to act as a domain controller too.)
[netlogon]
comment = Network Logon Service
path = /home/samba/netlogon
guest ok = yes
writable = no
share modes = no
write list = root, @Domain Admins

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
[profiles]
comment = Users profiles
path = /home/samba/profiles
guest ok = no
browseable = no
create mask = 0600
directory mask = 0700

[printers]
comment = All Printers
browseable = no
path = /var/spool/samba
printable = yes
public = no
writable = no
create mode = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# Replace 'ntadmin' with the name of the group your admin users are
# members of.
write list = root, @ntadmins

[daten]
comment = Network Logon Service
path = /home/samba/daten
guest ok = no
writable = yes
share modes = yes
# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
create mask = 0770

# Directory creation mask is set to 0700 for security reasons. If you want to
# create dirs. with group=rw permissions, set next parameter to 0775.
directory mask = 0770
# PAM configuration for the Secure Shell service

# Read environment variables from /etc/environment and
# /etc/security/pam_env.conf.
auth required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
auth required pam_env.so envfile=/etc/default/locale

# Standard Un*x authentication.
@include common-auth

# Disallow non-root logins when /etc/nologin exists.
account required pam_nologin.so

# Uncomment and edit /etc/security/access.conf if you need to set complex
# access limits that are hard to express in sshd_config.
# account required pam_access.so

# Standard Un*x authorization.
@include common-account

# Standard Un*x session setup and teardown.
@include common-session

# Print the message of the day upon successful login.
session optional pam_motd.so # [1]

# Print the status of the user's mailbox upon successful login.
session optional pam_mail.so standard noenv # [1]

# Set up user limits from /etc/security/limits.conf.
session required pam_limits.so

# Set up SELinux capabilities (need modified pam)
# session required pam_selinux.so multiple

# Standard Un*x password updating.
@include common-password
 
Old 03-04-2009, 12:45 PM
Dave Ewart
 
Default No more logins after upgrade to deb 5.0

On Wednesday, 04.03.2009 at 14:37 +0100, Axel Werner wrote:

> I got a realy realy BAD problem after Upgrade from Debian 4.x Etch to
> Debian 5.0 Lenny i was not able to resolve or even trace the source of
> trouble. Maybe one of you guys can help me find the problem.

Not completely clear from reading your configs, but if you use LDAP over
SSL or TLS, then the Lenny packages for TLS are fussier about the type
of certificates that can be used to verify the service.

I had exactly this issue upon upgrading a machine to Lenny, because the
certificate - which was based on RSA/MD5 - was no longer considered
safe. Making a new certificate using SHA1 instead of MD5 fixed the
problem.

Dave.

--
Dave Ewart
davee@ceu.ox.ac.uk
Computing Manager, Cancer Epidemiology Unit
University of Oxford / Cancer Research UK
PGP: CC70 1883 BD92 E665 B840 118B 6E94 2CFD 694D E370
Get key from http://www.ceu.ox.ac.uk/~davee/davee-ceu-ox-ac-uk.asc
N 51.7516, W 1.2152
 
Old 03-04-2009, 01:06 PM
Axel Werner
 
Default No more logins after upgrade to deb 5.0

Am 04.03.2009 14:45, Dave Ewart schrieb:

SSL or TLS, then the Lenny packages for TLS are fussier about the type
of certificates that can be used to verify the service.







Thanks, but i dont run SSL/TLS yet for testing purpose. All "hacker
friendly, unsecure cleartext" communications here.



regards

Axel
 
Old 03-04-2009, 08:13 PM
Sebastian Günther
 
Default No more logins after upgrade to deb 5.0

* Axel Werner (info@awerner.homeip.net) [04.03.09 14:39]:
> Hello Debian Gurus!
>
> I got a realy realy BAD problem after Upgrade from Debian 4.x Etch to
> Debian 5.0 Lenny i was not able to resolve or even trace the source of
> trouble. Maybe one of you guys can help me find the problem.
>
>
> Problem:
> After upgrading from Debian 4.x to 5.x without any further configuration
> attempts my LDAP Authentication configuration fails. To be more specific,
> only LDAP/SMB Users whos ldap password is expired are no more able to login
> to console or via ssh. On SSH they will get an „Access denied“ message,
> on console they get an „Login incorrect“.
> If an LDAP Administrator resets that users password and/or as long their
> ldap password is not expired the user can login anywhere just fine. If his
> pw expired he is locked out again.

> This behaviour is WRONG! With Debian 4.x this worked just fine with my
> configuration (same as with debian 5.0).

No need to shout...

This behaviour is totally right. You shouldn't be able to log in with an
expired password.

The difference may be that ssh now uses pam: examine /etc/ssh/sshd_config

>
>
> Finding the BAD
>
> so NO SIR! The Credentials are correct!! But WHY is pam_ldap complaining
> ????

No Sir, the credentials are *not* correct: the password is expired!

>
> Could you please HELP me to find the Problem ?
>
> THANKS A LOT FOR ANY HELP!
> regards
> Axel
>
>
>
> PS:
>

[awfull lot of configs]

Don't have the time to diff this with my eyes...

Sebastian

--
" Religion ist das Opium des Volkes. " Karl Marx

SEB@STI@N GÜNTHER mailto:samson@guenther-roetgen.de
 
Old 03-05-2009, 08:04 AM
Axel Werner
 
Default No more logins after upgrade to deb 5.0

I have got an UPDATE for this Topic:

Using Debian 4.0, in a LDAP/ppolicy Client/Server configuration for
authentication i have been still able to login to a console or via ssh
with an useraccount whos ldap password has been expired. well.. on your
next login you have been forced to change/update your password, but you
have not been locked out. this behaviour has been Independent of any
"grace login" configurations. in fact, there has been no important
difference if you have set your grace logins to 3 or 0 - the only thing
back there in debian 4.0 was that with a grace login of 3 you had +3
more login chances before you are "forced" to change your password. so..
in short... under debian 4.0 the grace login feature of openldap /
ppolicy had no real usefull effect as long your "ldap client app" makes
use of.


Now with Debian 5.0 something at "some ldap component" had changed. i
cannot say if its pam_ldap , ppolicy or openldap itself. but something
there now behaves different now and requires a small configuration change!


The Keyword is "grace logins" or the "pwdGraceAuthNLimit" attribute in
your password policy object in your LDAP DIT. While in debian 4 this
parameter doesnt realy matters in debian 5.0 it can be vital! because
NOW some ldap component (package) makes real use of this
parameter/service and if this parameter is set to 0 ( ZERO) and your
ldap-users passwords expire they become completly LOCKED OUT of your
systems.

So make sure you set this parameter to at least 1 - so your users get at
least ONE chance to change their password "after" it is expired.


btw.. if a users password is expired and until he did not used alls his
grace logins he can still login, BUT still there wont be any warning or
message that his password is expired and how much grace logins are left
for the user. so it seems you have to handle all that by yourself!


i realy hope my little report here will save some time for someone out
there.

regards
Axel



--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
 

Thread Tools




All times are GMT. The time now is 05:39 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org