From: Jamie C. <jca...@we...> - 2009-12-10 19:12:36
|
On 10/Dec/2009 07:11 Craig White <cra...@az...> wrote .. > On Wed, 2009-12-09 at 21:33 -0800, Jamie Cameron wrote: > > On 09/Dec/2009 06:44 Craig White <cra...@az...> wrote .. > > > On Tue, 2009-12-08 at 22:37 -0800, Jamie Cameron wrote: > > > > On 08/Dec/2009 21:22 Craig White <cra...@az...> wrote .. > > > > > I set up a 'webmin' group and added a couple of users using 'Unix > > > > > authentication' but they cannot log in. The users are LDAP users but > > > > > they do have 'crypt' passwords (actually created in LDAP Users and > > > > > Groups) and they they can login to IMAP, etc. They do have valid shells. > > > > > > > > > > I've done this on another setup so I would expect it to work here and I > > > > > don't recall running into this issue before. > > > > > > > > > > Version was 1.490 but now I updated to 1.500 but that changed nothing. > > > > > > > > > > I turned on logging for login/logout but it doesn't show the failures... > > > > > it's just a failure and it doesn't seem to be blocking the 'host' > > > > > either. > > > > > > > > > > I played with /etc/pam.d/webmin (temporarily substituting the samba > > > > > code) but no change. > > > > > > > > > > A 'normal' user (in /etc/passwd) can login but not LDAP User and > > > > > obviously I can login as 'root' > > > > > > > > > > Any guesses as to what I should be looking at? > > > > > > > > > > Craig > > > > > > > > > > # am, People, example.com > > > > > dn: uid=user,ou=People,dc=example,dc=com > > > > > sambaPwdLastSet: 1259889669 > > > > > sambaPwdCanChange: 1259889669 > > > > > shadowLastChange: 14582 > > > > > sambaLogonScript: logon.bat > > > > > sambaProfilePath: \\SRV1\profiles\am > > > > > cn: USER NAME > > > > > uidNumber: 1004 > > > > > sambaPrimaryGroupSID: S-1-5-21-1006409503-3758972879-1457747992-513 > > > > > sambaAcctFlags: [U ] > > > > > gecos: USER NAME > > > > > mail: us...@ex... > > > > > uid: am > > > > > sambaHomePath: \\SRV1\homes\user > > > > > homeDirectory: /home/users/user > > > > > objectClass: posixAccount > > > > > objectClass: shadowAccount > > > > > objectClass: person > > > > > objectClass: top > > > > > objectClass: calEntry > > > > > objectClass: inetLocalMailRecipient > > > > > objectClass: sambaSamAccount > > > > > objectClass: inetOrgPerson > > > > > sambaDomainName: SAMBA_DOMAIN > > > > > gidNumber: 100 > > > > > givenName: USER > > > > > sambaSID: S-1-5-21-1006409503-3758972879-1457747992-3008 > > > > > sambaHomeDrive: h: > > > > > sn: NAME > > > > > calFBURL: > > > > > loginShell: /bin/sh > > > > > > > > I can think of a couple of things to check : > > > > > > > > 1) Are these LDAP users recognized by the system as Unix users, via > > > > a proper NSS-LDAP configuration? If you can SSH in as one of these > > > > users, that indicates all is setup correctly. > > > > > > > > 2) Is /etc/pam.d/webmin configured to use LDAP, and is the Authen::LDAP > > > > perl module installed. > > > > > > > > Also, check the log file /var/log/secure or /var/log/authlog when a user > > > > tries to login to Webmin to see what PAM messages appear .. > > > ---- > > > 1. I am assuming a 'proper' nss-ldap configuration (i.e. /etc/ldap.conf > > > and /etc/nsswitch.com) and all users whether in /etc/passwd or in LDAP > > > can login via SSH (assuming valid shell), can authenticate to other > > > services such as smtp-auth, imapd-auth, samba, netatalk and are listed > > > with 'getent passwd' command. I have verified that these same users can > > > login via ssh, netatalk and imap but cannot login to webmin. > > > > > > 2. No, /etc/pam.d/webmin just lists... > > > #%PAM-1.0 > > > auth required pam_unix.so nullok > > > account required h pam_unix.so > > > session required pam_unix.so > > > > > > and I did try the configuration that works for samba & netatalk > > > #%PAM-1.0 > > > auth required pam_nologin.so > > > auth include system-auth > > > account include system-auth > > > session include system-auth > > > password include system-auth > > > > > > since system-auth has the ldap bits but it made no difference. Just for > > > kicks, I checked a different system where LDAP users can login to webmin > > > and there wasn't any /etc/pam.d/webmin module at all. > > > > Yes, the version with system-auth is definately required, or else Webmin's > > PAM calls won't know to use LDAP. > > > > > Now I do remember previous versions of Webmin always wanting me to > > > install some perl module not already installed when I went to LDAP Users > > > and Groups the first time but in this case, I was never asked so I went > > > to the Perl Module and simply could not find Authen::LDAP but under > > > 'suggested' modules, I ended up getting Bundle::Net::LDAP installed. > > > Authen::Libwrap is simply not installable from your 'suggested > > > modules' (it wants the user to select a continent). > > > > > > /var/log/secure only notes... > > > Dec 9 07:29:50 srv1 webmin[23607]: Invalid login as sj from 192.168.1.6 > > > > > > * and watching my slapd logs, it just seems that webmin gives up > > > quickly because it seems to bind, perform the user search and > > > then the connection is closed abruptly. > > > > The perl module you need is Authen::PAM .. this can be either added > > manually or at Others -> Perl Modules. You will need to restart Webmin > > after installing it. > ---- > tells me that it was already installed... > > # yum install perl-Authen-PAM > Loaded plugins: dellsysid, fastestmirror, priorities > Loading mirror speeds from cached hostfile > * addons: mirrors.easynews.com > * base: mirror.its.uidaho.edu > * dell-community: linux.dell.com > * extras: mira.sunsite.utk.edu > * rpmforge: apt.sw.be > * updates: mirror.stanford.edu > 459 packages excluded due to repository priority protections > Setting up Install Process > Package perl-Authen-PAM-0.16-1.2.el5.rf.x86_64 already installed and > latest version > Nothing to do > > I have to run out now but I will put in my 'system-auth' version of a > pam.d module for webmin and restart webmin and see if that changes > anything but I suspect that I had perl-Authen-PAM installed all along. Make sure you restart Webmin too, with /etc/webmin/restart .. in case it was started after Authen::PAM was installed. - Jamie |