Oracle Database Discussions

Not a lot of consolation but we too get something very much akin to that using Solaris 9 and PAM pointing to ldap (with an Active Directory holding the account info). Instead of kerberos (which we can't use) we have tls.

Sun inform us it's a configuration issue (hence we'd need to pay for professional services and not get any 'free' support via our Gold plus support contract).

i dug up my old notes and saw:

this seems to be related to ldap+tls...
PAM: do_pam_account pam_acct_mgmt = 13 (No account present for user)

i have been switching systems over to ldap for nss, krb5 for auth. made things much nicer. AD is ldap/krb5 and users can use the quest putty for passwordless logins. my pam.conf is overly simplified...

other auth sufficient pam_krb5.so.1 (this being the only change i made)
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_auth.so.1

Thanks for the replies so far.

That block in /etc/pam.conf doesn't solve my problem.

With a bit of playing, I seem to have tracked the problem down to this line:

other account required pam_unix_account.so.1 debug

If I change that to 'optional' OR comment it out entirely, I get the following error:

sshd[908]: [ID 430221 auth.error] load_modules: no module present
sshd[908]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[4] while authorizing: System error

If I change it back to 'required' (or uncomment it to make it live again) the error changes to the one I reported in the original post:

sshd[913]: [ID 579461 auth.debug] pam_unix_account: entering pam_sm_acct_mgmt()
sshd[913]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[13] while authorizing: No account present for user

Of course, the man page for pam_unix_account reads like something written by a 1st year English as a Second Language student and is extremely terse at that.

I've opened a Sun Support ticket on this. We'll see how far I get...

my solaris 9 pam.conf in that section

other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account required pam_unix_account.so.1

are you using tls+ldap, if so can you turn that off?

No TLS in use (nothing in LDAP to protect yet). No passwords anywhere except in Kerberos.

That's exactly what I have for 'other account' too.

Would you mind emailing me your entire pam.conf and nsswitch.conf that works for you? jblaine AT kickflop.net

here is what i have in terms of changes from the defaults...

nsswitch.conf:
passwd: files ldap
group: files ldap
hosts: files dns

pam.conf:
login auth sufficient pam_krb5.so.1
other auth sufficient pam_krb5.so.1

everything else is from the orig pam.conf. i can still send exactly what i have though. i did do something diff with ldap though, now that i think about it. im using padl nss_ldap. the ldapclient provided by solaris i havent really liked so i build openldap libs + sasl + ssl, and then padls nss_ldap.

Silly me.

I made the assumption that since I am doing auth via Kerberos there is no reason to make accounts belong to objectClass 'shadowAccount' and also have a userPassword attribute.

I have zero desire to have these, but apparently they are required by one of the Solaris PAM modules in order to 'officially' have an account.

SMIRK

Problem solved. Note, however, that I am not sure if BOTH are required or just maybe 1 of the 2 items. If I bother to figure that out I will reply here.

Again, thanks for all of the replies!

i would have both. is your ldap server openldap/ad/sunone/etc?

OpenLDAP

As far as I'm concerned, it's a bug.

Confirmed: objectClass shadowAccount is all that is required.

userPassword is not required.

userpasswd is an attribute though (part of quite a few objectclasses, as an optional attrib), and agree it isnt required to be set, unless auth was via ldap.

so i thought both was in relation to posixaccount+shadowaccount objectclasses, not userpassword+shadowaccount.

what ver of openldap do you run? nice to see others using it.

2.4.9 is what we're starting with. The admin guide is a bit overwhelming, but I have LDAP System Administration and "Understanding and Deploying LDAP" to help me along some.

We had to alter the default nis.schema to allow RFC2307bis-compatible nisNetgroupTriple objects so that underscores are valid (they're not valid in RFC2307's definition of nisNetgroupTriple).

Some interesting comments which I may try and play with (if I am allowed to do so!).

We are stuck with ldap/tls as the ldapclient points to an W2K box with AD and the extensions for Unix. It is further complicated by the fact that the usernames are all numeric.

cjblaine4,

It's possible I'm stuck where you were. I'm attempting ldap/kerberos with solaris 9 client. I'm certain kerberos is setup correctly. I can kinit just fine, I have a valid keytab etc. But I still cannot get logged in as a valid user yet. I get a message now and then that says "no account present for user". Also, "getent passwd user" works great, su - user works fine too.

FYI, we are authenticating to active directory, and the nss bit is on fedora directory server.

Please help :) If you want to email directly please do so here: phlite at gmail.com . Thanks a bunch!

Hi phlite,

Well, my problem was immediately solved when I added 'objectClass: shadowAccount' to my entries. Do you have that?

Hi, thanks for the reply ...

I'm not sure if I'm understanding correctly. Are you saying that /etc/ldap.conf needs extra NS_LDAP_OBJECTCLASSMAP for shadow? Or are you saying that in the ldap directory you need to add the object class shadow account to the user? Thanks.

Each user entry needs to have 'objectClass: shadowAccount' in the directory.

ok, i'll look into adding this, thanks alot!

I did add the shadowAccount object class to the user but it still doesn't work. I wonder if I could get a hold of a pam.conf that is setup correctly for kerberos? Also I wonder if its possible to use a debug mode to see more information .. thanks.

I figured it out .. thanks.

Glad to hear it. Was it something embarassing, or was it something worth sharing for others who find this thread down the road?

The shadowAccount object class was key. Also, I needed to do some schema changes on my ldap server (fedora-ds) . Had to do some tweaks to /var/ldap/ldap_client_file too. This document was extremely helpful for me : http://web.singnet.com.sg/~garyttt/Configuring%20Solaris%20Native%20LDAP%20Client%20for%20Fedora%20Directory%20Server.htm .