I'm trying to set up an Ubuntu 12.04 server so that users with a valid account in a remote ldap server can login to the ubuntu server.
I've followed this guide closely: http://wiki.linuxquestions.org/wiki/Pam_ldap.
When I try to ssh into that machine, this is what I see in /var/log/auth.log BEFORE entering my password:
Connection from 192.168.0.10 port 36624
Invalid user bentrupk from 192.168.0.10
input_userauth_request: invalid user bentrupk [preauth]
However, using a packet sniffer, I'm also seeing a successful query to the ldap server using my username that returns my DN in ldap.
Then I enter my password but the packet sniffer shows an ldap bind request with the right DN but with a password of "….INCORRECT".
Obviously, that's not the password what I entered.
I'm assuming it's a problem with 1 or more of my pam.d config files.
I'm wondering if there is a hint from the "Invalid user" in the auth.log? There is clearly a request being made to the ldap server with the username provided by ssh before I enter my password that successfully returns the correct entry.
However, it's unclear to me which happens first: "Invalid user" in the auth.log OR the ldap search seen in the packet sniffer (and just to be clear the ssh user does not have a local account).
What can I do to debug this further or confirm that I have the right configuration?
Best Answer
I was making an incorrect assumption about what the PAM modules did. I assumed that having an account in LDAP could actually cause a module to create the user on the system (an assumption probably influenced by my webdev background) much like it could also create the home directories (
pam_mkhomedir
).Once I created the users locally using:
I was able to login with the doej account in LDAP.
Incidentally, I found a solution using
pam_exec
that would allow me to dynamically create the users, too.