Hi List

After having installed Directory Server with no problems and created a test
user account I then go ahead to configure a client to test the
authentication to my new directory server, sadly after a reboot I can't
login with my new user account that I created, I have spent a few days
reading up about what the problem may be but until now I have had very
little joy.

If I try ldapsearch -v then I get error message:
SASL/EXTERNAL authentication started
Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
If i use ldapsearch -x then I get the output of a ldif file with all groups,
users and domains available so there is apparently nothing rong with the
communication, I truly belive that this is a security problem that sits
somewhere but I have no idea.

Could anyone give me some pointers to how I could fix this problem?

Regards
Per Qvindesland


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hello again list

I am coming a bit to my wits end on this one, let me rather top post my own
post

After having configured the client machine to authenticate and to look for
users on the directory server and then try to login into a user that sits on
the directory server then I get a error message saying that there is no such
user, is there any special configuration that needs to be done to get the
directory server to authenticate on a standard install on both the directory
server and the client?

Regards
Per


On 1/28/09 10:53 AM, "Per Qvindesland" <per@norhex.com> wrote:

> Hi List
>
> After having installed Directory Server with no problems and created a test
> user account I then go ahead to configure a client to test the
> authentication to my new directory server, sadly after a reboot I can't
> login with my new user account that I created, I have spent a few days
> reading up about what the problem may be but until now I have had very
> little joy.
>
> If I try ldapsearch -v then I get error message:
> SASL/EXTERNAL authentication started
> Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
> additional info: SASL(-4): no mechanism available:
> If i use ldapsearch -x then I get the output of a ldif file with all groups,
> users and domains available so there is apparently nothing rong with the
> communication, I truly belive that this is a security problem that sits
> somewhere but I have no idea.
>
> Could anyone give me some pointers to how I could fix this problem?
>
> Regards
> Per Qvindesland
>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Per Qvindesland wrote:

Hi List

After having installed Directory Server with no problems and created a test
user account I then go ahead to configure a client to test the
authentication to my new directory server, sadly after a reboot I can't
login with my new user account that I created, I have spent a few days
reading up about what the problem may be but until now I have had very
little joy.

If I try ldapsearch -v then I get error message:
SASL/EXTERNAL authentication started
Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:

This is because the openldap ldapsearch client attempts SASL
authentication by default. You have to specify -x to make it use simple
(username/password or anonymous) authentication.

If i use ldapsearch -x then I get the output of a ldif file with all groups,
users and domains available so there is apparently nothing rong with the
communication, I truly belive that this is a security problem that sits
somewhere but I have no idea.


I don't think this is a security problem.

Could anyone give me some pointers to how I could fix this problem?

Regards
Per Qvindesland


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hi

Thanks so much for responding to my post.

I managed to find out this but from what I don't get is why after having
installed and configured clients to authenticate towards the server
correctly they still don't do it, I have looked for any log files that could
give me some clue of what I have done rong but no luck the error log in the
admin interface says nothing that is of use, I have also read the manual
from one side to the other but I can not find anything that tells me what
steps that I have been forgetting.

Is there any error logs that it generats that it generates that can give me
some more clues?

Regards
Per Qvindesland


On 1/28/09 4:37 PM, "Rich Megginson" <rmeggins@redhat.com> wrote:

> Per Qvindesland wrote:
>> Hi List
>>
>> After having installed Directory Server with no problems and created a test
>> user account I then go ahead to configure a client to test the
>> authentication to my new directory server, sadly after a reboot I can't
>> login with my new user account that I created, I have spent a few days
>> reading up about what the problem may be but until now I have had very
>> little joy.
>>
>> If I try ldapsearch -v then I get error message:
>> SASL/EXTERNAL authentication started
>> Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
>> additional info: SASL(-4): no mechanism available:
>>
> This is because the openldap ldapsearch client attempts SASL
> authentication by default. You have to specify -x to make it use simple
> (username/password or anonymous) authentication.
>> If i use ldapsearch -x then I get the output of a ldif file with all groups,
>> users and domains available so there is apparently nothing rong with the
>> communication, I truly belive that this is a security problem that sits
>> somewhere but I have no idea.
>>
> I don't think this is a security problem.
>> Could anyone give me some pointers to how I could fix this problem?
>>
>> Regards
>> Per Qvindesland
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Per Qvindesland wrote:

Hi

Thanks so much for responding to my post.

I managed to find out this but from what I don't get is why after having
installed and configured clients to authenticate towards the server
correctly they still don't do it, I have looked for any log files that could
give me some clue of what I have done rong but no luck the error log in the
admin interface says nothing that is of use, I have also read the manual
from one side to the other but I can not find anything that tells me what
steps that I have been forgetting.

Is there any error logs that it generats that it generates that can give me
some more clues?


I'm not sure where pam and nss log - possibly /var/log/secure
You can see what searches are being performed against the directory
server by looking at /var/log/dirsrv/slapd-yourinstance/access

Regards
Per Qvindesland


On 1/28/09 4:37 PM, "Rich Megginson" <rmeggins@redhat.com> wrote:



Per Qvindesland wrote:


Hi List

After having installed Directory Server with no problems and created a test
user account I then go ahead to configure a client to test the
authentication to my new directory server, sadly after a reboot I can't
login with my new user account that I created, I have spent a few days
reading up about what the problem may be but until now I have had very
little joy.

If I try ldapsearch -v then I get error message:
SASL/EXTERNAL authentication started
Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:



This is because the openldap ldapsearch client attempts SASL
authentication by default. You have to specify -x to make it use simple
(username/password or anonymous) authentication.


If i use ldapsearch -x then I get the output of a ldif file with all groups,
users and domains available so there is apparently nothing rong with the
communication, I truly belive that this is a security problem that sits
somewhere but I have no idea.



I don't think this is a security problem.


Could anyone give me some pointers to how I could fix this problem?

Regards
Per Qvindesland


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hi

Thanks again for the response.


I have managed to find some logs now that to Rich's message but I am unsure
of what they mean:
[30/Jan/2009:10:28:49 -0500] conn=46 fd=66 slot=66 connection from
83.140.187.52 to 83.140.187.43
[30/Jan/2009:10:28:49 -0500] conn=46 op=0 BIND dn="" method=128 version=3
[30/Jan/2009:10:28:49 -0500] conn=46 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn=""
[30/Jan/2009:10:28:49 -0500] conn=46 op=1 SRCH
base="dc=sms,dc=mycompany,dc=com" scope=2
filter="(&(objectClass=posixAccount)(uid=pq))" attrs="uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description
objectClass"
[30/Jan/2009:10:28:49 -0500] conn=46 op=1 RESULT err=0 tag=101 nentries=0
etime=0
[30/Jan/2009:10:28:49 -0500] conn=46 op=-1 fd=66 closed - B1

Does any one have any idea?

Regards
Per Qvindesland

On 1/29/09 4:18 PM, "Rich Megginson" <rmeggins@redhat.com> wrote:

> Per Qvindesland wrote:
>> Hi
>>
>> Thanks so much for responding to my post.
>>
>> I managed to find out this but from what I don't get is why after having
>> installed and configured clients to authenticate towards the server
>> correctly they still don't do it, I have looked for any log files that could
>> give me some clue of what I have done rong but no luck the error log in the
>> admin interface says nothing that is of use, I have also read the manual
>> from one side to the other but I can not find anything that tells me what
>> steps that I have been forgetting.
>>
>> Is there any error logs that it generats that it generates that can give me
>> some more clues?
>>
> I'm not sure where pam and nss log - possibly /var/log/secure
> You can see what searches are being performed against the directory
> server by looking at /var/log/dirsrv/slapd-yourinstance/access
>> Regards
>> Per Qvindesland
>>
>>
>> On 1/28/09 4:37 PM, "Rich Megginson" <rmeggins@redhat.com> wrote:
>>
>>
>>> Per Qvindesland wrote:
>>>
>>>> Hi List
>>>>
>>>> After having installed Directory Server with no problems and created a test
>>>> user account I then go ahead to configure a client to test the
>>>> authentication to my new directory server, sadly after a reboot I can't
>>>> login with my new user account that I created, I have spent a few days
>>>> reading up about what the problem may be but until now I have had very
>>>> little joy.
>>>>
>>>> If I try ldapsearch -v then I get error message:
>>>> SASL/EXTERNAL authentication started
>>>> Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
>>>> additional info: SASL(-4): no mechanism available:
>>>>
>>>>
>>> This is because the openldap ldapsearch client attempts SASL
>>> authentication by default. You have to specify -x to make it use simple
>>> (username/password or anonymous) authentication.
>>>
>>>> If i use ldapsearch -x then I get the output of a ldif file with all
>>>> groups,
>>>> users and domains available so there is apparently nothing rong with the
>>>> communication, I truly belive that this is a security problem that sits
>>>> somewhere but I have no idea.
>>>>
>>>>
>>> I don't think this is a security problem.
>>>
>>>> Could anyone give me some pointers to how I could fix this problem?
>>>>
>>>> Regards
>>>> Per Qvindesland
>>>>
>>>>
>>>> --
>>>> Fedora-directory-users mailing list
>>>> Fedora-directory-users@redhat.com
>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>
>>>>
>>> --
>>> Fedora-directory-users mailing list
>>> Fedora-directory-users@redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users@redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Per Qvindesland wrote:
Hi


Thanks again for the response.


I have managed to find some logs now that to Rich's message but I am unsure
of what they mean:
[30/Jan/2009:10:28:49 -0500] conn=46 fd=66 slot=66 connection from
83.140.187.52 to 83.140.187.43
[30/Jan/2009:10:28:49 -0500] conn=46 op=0 BIND dn="" method=128 version=3


Bind as anonymous (dn="")

[30/Jan/2009:10:28:49 -0500] conn=46 op=0 RESULT err=0 tag=97 nentries=0
etime=0 dn=""


Result is good (err=0)

[30/Jan/2009:10:28:49 -0500] conn=46 op=1 SRCH
base="dc=sms,dc=mycompany,dc=com" scope=2
filter="(&(objectClass=posixAccount)(uid=pq))" attrs="uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description
objectClass"

Search for user uid=pq with objectClass=posixAccount anywhere under
dc=sms,dc=mycompany,dc=com and return the attributes uid userPassword
uidNumber gidNumber cn homeDirectory loginShell gecos description
objectClass



[30/Jan/2009:10:28:49 -0500] conn=46 op=1 RESULT err=0 tag=101 nentries=0
etime=0


There were no errors (err=0), but no entries were found that matched.

[30/Jan/2009:10:28:49 -0500] conn=46 op=-1 fd=66 closed - B1

Does any one have any idea?

Regards
Per Qvindesland

On 1/29/09 4:18 PM, "Rich Megginson" <rmeggins@redhat.com> wrote:



Per Qvindesland wrote:


Hi

Thanks so much for responding to my post.

I managed to find out this but from what I don't get is why after having
installed and configured clients to authenticate towards the server
correctly they still don't do it, I have looked for any log files that could
give me some clue of what I have done rong but no luck the error log in the
admin interface says nothing that is of use, I have also read the manual
from one side to the other but I can not find anything that tells me what
steps that I have been forgetting.

Is there any error logs that it generats that it generates that can give me
some more clues?



I'm not sure where pam and nss log - possibly /var/log/secure
You can see what searches are being performed against the directory
server by looking at /var/log/dirsrv/slapd-yourinstance/access


Regards
Per Qvindesland


On 1/28/09 4:37 PM, "Rich Megginson" <rmeggins@redhat.com> wrote:




Per Qvindesland wrote:



Hi List

After having installed Directory Server with no problems and created a test
user account I then go ahead to configure a client to test the
authentication to my new directory server, sadly after a reboot I can't
login with my new user account that I created, I have spent a few days
reading up about what the problem may be but until now I have had very
little joy.

If I try ldapsearch -v then I get error message:
SASL/EXTERNAL authentication started
Ldap_sasl_interactive_bind_s:unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:




This is because the openldap ldapsearch client attempts SASL
authentication by default. You have to specify -x to make it use simple
(username/password or anonymous) authentication.



If i use ldapsearch -x then I get the output of a ldif file with all
groups,
users and domains available so there is apparently nothing rong with the
communication, I truly belive that this is a security problem that sits
somewhere but I have no idea.




I don't think this is a security problem.



Could anyone give me some pointers to how I could fix this problem?

Regards
Per Qvindesland


--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users




--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users



--
Fedora-directory-users mailing list
Fedora-directory-users@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-directory-users

Hi List,


We have a CentOS VPS running a web site in a DC far away. The chap that dev's this site told me he couldn't SFTP in yesterday, his password was being rejected (I went to his desk to confirm and saw it was telling him the password was incorrect but neither him nor me had changed it and we are the only two with access to this VPS). So I logged in as root and reset his password, be he still couldn't log in (same problem, claiming the password was wrong).



[root@server ~]# passwd webdevuser

Changing password for user webdevuser.

New UNIX password:

Retype new UNIX password:

passwd: all authentication tokens updates successfully.


I tried to SSH in as the web dev user and it wouldn't let me in. Returning back to my root console window;


[root@server ~]# su - webdevuser

[webdevuser@server ~]# passwd

Changing password for user webdevuser.

Changing password for webdevuser.

(current) UNIX password:

passwd: Authentication token manipulation error


Firstly; I am stracthing my head as to why his password was no longer working in the first place?


Secondly; Why I can't reset it?


Googling around many people suggest there is a discrepancy between the /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using pwconv to recreate shadow and the same for /etc/groups, deleting gshadow recreating it with grpconv will solve the problem but I still can't login as the web dev user.



Any ideas anyone?


--

James.


http://www.jamesbensley.co.cc/

There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...?



_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On Wed, Feb 16, 2011 at 7:28 AM, James Bensley <jwbensley@gmail.com> wrote:
> Hi List,
>
> We have a CentOS VPS running a web site in a DC far away. The chap that
> dev's this site told me he couldn't SFTP in yesterday, his password was
> being rejected (I went to his desk to confirm and saw it was telling him the
> password was incorrect but neither him nor me had changed it and we are the
> only two with access to this VPS). So I logged in as root and reset his
> password, be he still couldn't log in (same problem, claiming the password
> was wrong).
>
> [root@server ~]# passwd webdevuser
> Changing password for user webdevuser.
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updates successfully.
>
> I tried to SSH in as the web dev user and it wouldn't let me in. Returning
> back to my root console window;
>
> [root@server ~]# su - webdevuser
> [webdevuser@server ~]# passwd
> Changing password for user webdevuser.
> Changing password for webdevuser.
> (current) UNIX password:
> passwd: Authentication token manipulation error
>
> Firstly; I am stracthing my head as to why his password was no longer
> working in the first place?
>
> Secondly; Why I can't reset it?
>
> Googling around many people suggest there is a discrepancy between the
> /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using
> pwconv to recreate shadow and the same for /etc/groups, deleting gshadow
> recreating it with grpconv will solve the problem but I still can't login as
> the web dev user.
>
> Any ideas anyone?

Uh-oh. Has your developer, or you, been editing the /etc/passwd,
/etc/shadow, /etc/group, or /etc/gshadow files manually? And do you
use NIS or LDAP for authentication? And this is a publicly exposed
webserver, right? How fast can you rebuild it if it's been rootkitted?

Check the /etc/shadow and /etc/group for consistent numbers of
entries, and /etc/group and /etc/gshadow. Do you have other users who
can still log in or not?
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

On 16 Feb 2011 12:34, "Nico Kadel-Garcia" <nkadel@gmail.com> wrote:

>

> Uh-oh. Has your developer, or you, been editing the /etc/passwd,

> /etc/shadow, /etc/group, or /etc/gshadow files manually?


Nope.


> And do you

> use NIS or LDAP for authentication?


Nope.


> And this is a publicly exposed

> webserver, right? How fast can you rebuild it if it's been rootkitted?


How long is a peice of string? As quick as I can reupload the data, but thats another issue for another day.


> Check the /etc/shadow and /etc/group for consistent numbers of

> entries, and /etc/group and /etc/gshadow.


Do you mean duplicate entries? If so there are none of those.


> Do you have other users who

> can still log in or not?


There is only the root and web dev user on this box.


Thanks for your input Nico


--James. (This email was sent from a mobile device)

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos