4 Replies Latest reply on Oct 13, 2009 12:34 PM by wrobbins2

    Can't su after configuring LDAP - How should I proceed?

      On Solaris 10:
      uname -a
      SunOS my-hostname 5.10 Generic_120012-14 i86pc i386 i86pc
      After running ldapclient to configure Solaris 10 to use an OpenLDAP directory:
      ldapclient manual -v -a defaultsearchbase=dc=my-domain,dc=com -a proxyDN=cn=admin,dc=my-domain,dc=com -a proxyPassword=my-password -a domainname=my-domain.com -a objectClassMap=passwd:uidnumber=uidNumber -a objectClassMap=passwd:gidnumber=gidNumber -a serviceSearchDescriptor=passwd:ou=Users,dc=my-domain,dc=com -a serviceSearchDescriptor=group:ou=Groups,dc=my-domain,dc=com
      with the following /etc/pam.conf:
      #ident  "@(#)pam.conf   1.29    07/04/10 SMI"
      # PAM configuration
      # Authentication management
      # login service (explicit because of pam_dial_auth)
      login   auth requisite          pam_authtok_get.so.1
      login   auth required           pam_dhkeys.so.1
      login   auth required           pam_unix_cred.so.1
      login   auth required           pam_unix_auth.so.1
      login   auth required           pam_ldap.so.1
      login   auth required           pam_dial_auth.so.1
      # rlogin service (explicit because of pam_rhost_auth)
      rlogin  auth sufficient         pam_rhosts_auth.so.1
      rlogin  auth requisite          pam_authtok_get.so.1
      rlogin  auth required           pam_dhkeys.so.1
      rlogin  auth required           pam_unix_cred.so.1
      rlogin  auth required           pam_unix_auth.so.1
      # Kerberized rlogin service
      krlogin auth required           pam_unix_cred.so.1
      krlogin auth required           pam_krb5.so.1
      # rsh service (explicit because of pam_rhost_auth,
      # and pam_unix_auth for meaningful pam_setcred)
      rsh     auth sufficient         pam_rhosts_auth.so.1
      rsh     auth required           pam_unix_cred.so.1
      # Kerberized rsh service
      krsh    auth required           pam_unix_cred.so.1
      krsh    auth required           pam_krb5.so.1
      # Kerberized telnet service
      ktelnet auth required           pam_unix_cred.so.1
      ktelnet auth required           pam_krb5.so.1
      # PPP service (explicit because of pam_dial_auth)
      ppp     auth requisite          pam_authtok_get.so.1
      ppp     auth required           pam_dhkeys.so.1
      ppp     auth required           pam_unix_cred.so.1
      ppp     auth required           pam_unix_auth.so.1
      ppp     auth required           pam_dial_auth.so.1
      # Default definitions for Authentication management
      # Used when service name is not explicitly mentioned for authentication
      other   auth requisite          pam_authtok_get.so.1
      other   auth required           pam_dhkeys.so.1
      other   auth required           pam_unix_cred.so.1
      other   auth required           pam_unix_auth.so.1
      other   auth required           pam_ldap.so.1
      # passwd command (explicit because of a different authentication module)
      passwd  auth binding            pam_passwd_auth.so.1 server_policy
      passwd  auth required           pam_ldap.so.1
      # cron service (explicit because of non-usage of pam_roles.so.1)
      cron    account required        pam_unix_account.so.1
      # Default definition for Account management
      # Used when service name is not explicitly mentioned for account management
      other   account requisite       pam_roles.so.1
      other   account required        pam_unix_account.so.1
      other   account required        pam_ldap.so.1
      # Default definition for Session management
      # Used when service name is not explicitly mentioned for session management
      other   session required        pam_unix_session.so.1
      # Default definition for  Password management
      # Used when service name is not explicitly mentioned for password management
      other   password required       pam_dhkeys.so.1
      other   password requisite      pam_authtok_get.so.1
      other   password requisite      pam_authtok_check.so.1
      other   password required       pam_authok_store.so.1
      and the following /etc/nsswitch.conf:
      # ident "@(#)nsswitch.ldap      1.10    06/05/03 SMI"
      # /etc/nsswitch.ldap:
      # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
      passwd:     files ldap
      group:      files ldap
      hosts:  files dns
      # Note that IPv4 addresses are searched for in all of the ipnodes databases
      # before searching the hosts databases.
      ipnodes:        files dns
      networks:   ldap [NOTFOUND=return] files
      protocols:  ldap [NOTFOUND=return] files
      rpc:        ldap [NOTFOUND=return] files
      ethers:     ldap [NOTFOUND=return] files
      netmasks:   ldap [NOTFOUND=return] files
      bootparams: ldap [NOTFOUND=return] files
      publickey:  ldap [NOTFOUND=return] files
      netgroup:   ldap
      automount:  files ldap
      aliases:    files ldap
      # for efficient getservbyname() avoid ldap
      services:   files ldap
      printers:   user files ldap
      auth_attr:  files ldap
      prof_attr:  files ldap
      project:    files ldap
      tnrhtp:     files ldap
      tnrhdb:     files ldap
      I am able to view users on the LDAP server, but I can't authenticate them using SSH:
      my-domain sshd[3224]: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
      SSH is configured to use PAM:
      PAMAuthenticationViaKBDInt yes
      But what's worse is that after trying "use_first_pass" thusly:
      login   auth required           pam_ldap.so.1 use_first_pass
      other   auth required           pam_ldap.so.1 use_first_pass
      I'm unable to su
       my-domain su: [ID 316739 auth.error] pam_ldap: no legal authentication method configured
       my-domain su: [ID 810491 auth.crit] 'su root' failed for my-local-user on /dev/pts/1
      Which means I can't fix anything. Since I can't ssh in, and can't su root in the current logged in session, I'm effectively locked out of this server, which is in a locked room across town.

      I've read every Googleable thread, webpage and blog post on using Solaris 10 with OpenLDAP without much success. It's a straightforward exercise on most platforms.


      1. Is single-user mode the only way to proceed?
      2. Does "no legal authentication method configured" mean what it says it means? If not, what does it mean?
      3. Is it even possible to authenticate su, ssh, Samba etc. using Solaris 10 and OpenLDAP?

      Many thanks!