Skip to Main Content

Infrastructure Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

Interested in getting your voice heard by members of the Developer Marketing team at Oracle? Check out this post for AppDev or this post for AI focus group information.

SSHD and PAM : "No account present for user" but getent and su work fine

807559Jul 23 2008 — edited Aug 22 2008
Hi all,

I'm dealing with some weirdness here. If anyone can help that would be great.

Fully patched Solaris 9 box : SunOS alberta.foo.com 5.9 Generic_122300-29 sun4u sparc SUNW,Ultra-5_10

While trying to SSH to the box as 'jblaine' my required PAM module returns SUCCESS then SSHD chokes for some unknown reason:

Jul 23 08:57:56 alberta.foo.com sshd[492]: [ID 584047 auth.debug] (pam_krb5): jblaine: pam_sm_authenticate: exit (success)
Jul 23 08:57:56 alberta.foo.com sshd[492]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authenticating: No account present for user

================================================================================

Proof that I exist just fine!

alberta# grep jblaine /etc/passwd
alberta#

alberta# getent passwd jblaine
jblaine::26560:10:Jeff Blaine:/home/jblaine:/usr/local/bin/bash
alberta#

alberta# su - jblaine
~:alberta> id
uid=26560(jblaine) gid=10(staff)
~:alberta>

================================================================================

/etc/nsswitch.conf :

passwd: files ldap
group: files ldap
hosts: files dns ldap
networks: ldap [NOTFOUND=return] files
protocols: ldap [NOTFOUND=return] files
rpc: ldap [NOTFOUND=return] files
ethers: ldap [NOTFOUND=return] files
netmasks: files ldap
bootparams: ldap [NOTFOUND=return] files
publickey: ldap [NOTFOUND=return] files
netgroup: ldap
automount: files ldap
aliases: files ldap
services: files ldap
printers: user files ldap
auth_attr: files ldap
prof_attr: files ldap
project: files ldap

================================================================================

alberta# ldapsearch -h barnowl -b dc=rcf,dc=foo,dc=com uid=jblaine
uid=jblaine,ou=People,dc=rcf,dc=foo,dc=com
uid=jblaine
cn=Jeff Blaine
objectClass=account
objectClass=posixAccount
objectClass=top
loginShell=/usr/local/bin/bash
uidNumber=26560
gidNumber=10
homeDirectory=/home/jblaine
gecos=Jeff Blaine

================================================================================

sshd auth requisite pam_authtok_get.so.1
sshd auth required pam_dhkeys.so.1
sshd auth required pam_krb5RA.so debug try_first_pass minimum_uid=100
sshd session optional pam_krb5RA.so debug minimum_uid=100
sshd session required pam_afs_session.so debug retain_after_close minimum_uid=100
sshd-kbdint auth requisite pam_authtok_get.so.1
sshd-kbdint auth required pam_dhkeys.so.1
sshd-kbdint auth required pam_krb5RA.so debug try_first_pass minimum_uid=100
sshd-kbdint session optional pam_krb5RA.so debug
sshd-kbdint session required pam_afs_session.so debug retain_after_close minimum_uid=100
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_krb5RA.so debug try_first_pass minimum_uid=100
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1
other session required pam_unix_session.so.1
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1

Comments

807559
Not a lot of consolation but we too get something very much akin to that using Solaris 9 and PAM pointing to ldap (with an Active Directory holding the account info). Instead of kerberos (which we can't use) we have tls.

Sun inform us it's a configuration issue (hence we'd need to pay for professional services and not get any 'free' support via our Gold plus support contract).
807559
i dug up my old notes and saw:

this seems to be related to ldap+tls...
PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)

i have been switching systems over to ldap for nss, krb5 for auth. made things much nicer. AD is ldap/krb5 and users can use the quest putty for passwordless logins. my pam.conf is overly simplified...

other auth sufficient pam_krb5.so.1 (this being the only change i made)
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1
807559
Thanks for the replies so far.

That block in /etc/pam.conf doesn't solve my problem.

With a bit of playing, I seem to have tracked the problem down to this line:

other account required pam_unix_account.so.1 debug

If I change that to 'optional' OR comment it out entirely, I get the following error:

sshd[908]: [ID 430221 auth.error] load_modules: no module present
sshd[908]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[4] while authorizing: System error

If I change it back to 'required' (or uncomment it to make it live again) the error changes to the one I reported in the original post:

sshd[913]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
sshd[913]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authorizing: No account present for user

Of course, the man page for pam_unix_account reads like something written by a 1st year English as a Second Language student and is extremely terse at that.

I've opened a Sun Support ticket on this. We'll see how far I get...
807559
my solaris 9 pam.conf in that section

other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1

are you using tls+ldap, if so can you turn that off?
807559
No TLS in use (nothing in LDAP to protect yet). No passwords anywhere except in Kerberos.

That's exactly what I have for 'other account' too.

Would you mind emailing me your entire pam.conf and nsswitch.conf that works for you? jblaine AT kickflop.net
807559
here is what i have in terms of changes from the defaults...

nsswitch.conf:
passwd: files ldap
group: files ldap
hosts: files dns

pam.conf:
login auth sufficient pam_krb5.so.1
other auth sufficient pam_krb5.so.1

everything else is from the orig pam.conf. i can still send exactly what i have though. i did do something diff with ldap though, now that i think about it. im using padl nss_ldap. the ldapclient provided by solaris i havent really liked so i build openldap libs + sasl + ssl, and then padls nss_ldap.
807559
Silly me.

I made the assumption that since I am doing auth via Kerberos there is no reason to make accounts belong to objectClass 'shadowAccount' and also have a userPassword attribute.

I have zero desire to have these, but apparently they are required by one of the Solaris PAM modules in order to 'officially' have an account.

SMIRK

Problem solved. Note, however, that I am not sure if BOTH are required or just maybe 1 of the 2 items. If I bother to figure that out I will reply here.

Again, thanks for all of the replies!
807559
i would have both. is your ldap server openldap/ad/sunone/etc?
807559
OpenLDAP

As far as I'm concerned, it's a bug.
807559
Confirmed: objectClass shadowAccount is all that is required.

userPassword is not required.
807559
userpasswd is an attribute though (part of quite a few objectclasses, as an optional attrib), and agree it isnt required to be set, unless auth was via ldap.

so i thought both was in relation to posixaccount+shadowaccount objectclasses, not userpassword+shadowaccount.

what ver of openldap do you run? nice to see others using it.
807559
2.4.9 is what we're starting with. The admin guide is a bit overwhelming, but I have LDAP System Administration and "Understanding and Deploying LDAP" to help me along some.

We had to alter the default nis.schema to allow RFC2307bis-compatible nisNetgroupTriple objects so that underscores are valid (they're not valid in RFC2307's definition of nisNetgroupTriple).
807559
Some interesting comments which I may try and play with (if I am allowed to do so!).

We are stuck with ldap/tls as the ldapclient points to an W2K box with AD and the extensions for Unix. It is further complicated by the fact that the usernames are all numeric.
807559
cjblaine4,

It's possible I'm stuck where you were. I'm attempting ldap/kerberos with solaris 9 client. I'm certain kerberos is setup correctly. I can kinit just fine, I have a valid keytab etc. But I still cannot get logged in as a valid user yet. I get a message now and then that says "no account present for user". Also, "getent passwd user" works great, su - user works fine too.

FYI, we are authenticating to active directory, and the nss bit is on fedora directory server.

Please help :) If you want to email directly please do so here: phlite at gmail.com . Thanks a bunch!
807559
Hi phlite,

Well, my problem was immediately solved when I added 'objectClass: shadowAccount' to my entries. Do you have that?
807559
Hi, thanks for the reply ...

I'm not sure if I'm understanding correctly. Are you saying that /etc/ldap.conf needs extra NS_LDAP_OBJECTCLASSMAP for shadow? Or are you saying that in the ldap directory you need to add the object class shadow account to the user? Thanks.
807559
Each user entry needs to have 'objectClass: shadowAccount' in the directory.
807559
ok, i'll look into adding this, thanks alot!
807559
I did add the shadowAccount object class to the user but it still doesn't work. I wonder if I could get a hold of a pam.conf that is setup correctly for kerberos? Also I wonder if its possible to use a debug mode to see more information .. thanks.
807559
I figured it out .. thanks.
807559
Glad to hear it. Was it something embarassing, or was it something worth sharing for others who find this thread down the road?
807559
The shadowAccount object class was key. Also, I needed to do some schema changes on my ldap server (fedora-ds) . Had to do some tweaks to /var/ldap/ldap_client_file too. This document was extremely helpful for me : http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm .
1 - 22
Locked Post
New comments cannot be posted to this locked post.

Post Details

Locked on Sep 19 2008
Added on Jul 23 2008
22 comments
5,188 views