From owner-freebsd-questions@FreeBSD.ORG Thu May 26 12:13:33 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CE7AC106566B for ; Thu, 26 May 2011 12:13:33 +0000 (UTC) (envelope-from post@stmm.no) Received: from mail-ey0-f182.google.com (mail-ey0-f182.google.com [209.85.215.182]) by mx1.freebsd.org (Postfix) with ESMTP id 628AA8FC14 for ; Thu, 26 May 2011 12:13:32 +0000 (UTC) Received: by eyg7 with SMTP id 7so352236eyg.13 for ; Thu, 26 May 2011 05:13:32 -0700 (PDT) Received: by 10.213.14.82 with SMTP id f18mr2046283eba.21.1306410552358; Thu, 26 May 2011 04:49:12 -0700 (PDT) Received: from mp-aleks.kreativsone.no (206.62-97-205.bkkb.no [62.97.205.206]) by mx.google.com with ESMTPS id y15sm451594eea.11.2011.05.26.04.49.09 (version=TLSv1/SSLv3 cipher=OTHER); Thu, 26 May 2011 04:49:10 -0700 (PDT) From: Aleksander Steffensen Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Thu, 26 May 2011 13:49:05 +0200 Message-Id: To: freebsd-questions@freebsd.org Mime-Version: 1.0 (Apple Message framework v1084) X-Pgp-Agent: GPGMail 1.3.3 X-Mailer: Apple Mail (2.1084) Subject: Trouble with LDAP-authentication to Apple Open Directory X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 May 2011 12:13:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello! Yesterday I finally managed to get my FreeBSD 8.2-STABLE box to actually = authenticate to the Xserve, running Open Directory on Mac OS X 10.5 = Server. I was able to log in to the FreeBSD box (egil.kreativsone.no) as = a directory user via SSH and also via netatalk.=20 Unfortunately, after a while, it stopped working. I can't remember doing = anything at all... As far as I know, I made no changes in the = configuration neither on the Xserve nor on the FreeBSD box. This is what = happens when I try to log in via SSH.=20 > mp-aleks:~ aleksander$ ssh alekstef@egil.kreativsone.no > Password:=20 > alekstef@egil.kreativsone.no's password:=20 > Connection closed by 192.168.3.6 Notice that I enter the password once, and then it asks for the password = once more, but it won't accept the password. Here is the auth.log on = egil.kreativsone.no: > May 26 13:18:24 egil sshd[5347]: error: PAM: user account has expired = for alekstef from 192.168.3.16 > May 26 13:18:28 egil sshd[5347]: Failed password for alekstef from = 192.168.3.16 port 62114 ssh2 I know for a fact that the user account is not expired in Open = Directory. I have also checked the logs on the Xserve, but can't find = anything relevant to the problem, so I assume the problem is on the = FreeBSD-box. Here's the part of my nss_ldap.conf file on = egil.kreativsone.no, that is not commented out. Everything else is the = default: > host jangunnar.kreativsone.no > base dc=3Djangunnar,dc=3Dkreativsone,dc=3Dno >=20 > ldap_version 3 > port 389 > scope one > bind_policy soft=20 > pam_filter objectclass=3DposixAccount > pam_login_attribute uid >=20 > pam_groupdn cn=3Dlagring,cn=3Dgroups,dc=3Djangunnar,dc=3Dkreativsone,dc=3D= no > pam_member_attribute memberUid >=20 > pam_password crypt > nss_base_passwd cn=3Dusers,dc=3Djangunnar,dc=3Dkreativsone,dc=3D= no?one > nss_base_shadow cn=3Dusers,dc=3Djangunnar,dc=3Dkreativsone,dc=3D= no?one > nss_base_group = cn=3Dgroups,dc=3Djangunnar,dc=3Dkreativsone,dc=3Dno?one > ssl off I tried commenting out the pam_groupdn and pam_member_attributes with no = success. I was hoping to restrict login to to the group "lagring", but = it didn't seem to work. /etc/pam.d/sshd: > auth sufficient pam_opie.so = no_warn no_fake_prompts > auth requisite pam_opieaccess.so = no_warn allow_local > auth sufficient /usr/local/lib/pam_ldap.so = no_warn > auth required pam_unix.so = no_warn try_first_pass >=20 > # account > account required pam_nologin.so > account required pam_login_access.so > account required /usr/local/lib/pam_ldap.so = no_warn ignore_authinfo_unavail ignore_unknown_user > account required pam_unix.so >=20 > # session > session required pam_permit.so >=20 > # password > password required pam_unix.so = no_warn try_first_pass /etc/pam.d/netatalk > auth sufficient /usr/local/lib/pam_ldap.so = no_warn > auth include system > account include system > password include system > session include system > account required /usr/local/lib/pam_ldap.so = no_warn ignore_authinfo_unavail ignore_unknown_user I really need to get this working again. Any help is highly appreciated. = Please ask if you need more information. Thanks! Best regards, Aleksander Steffensen -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJN3j4xAAoJELxlbnDhBkKI7jEIAJqUquhmHVO4IDiTBXRERTIR qjv1zsWpUg1d/gps222hKxypN6NqIWDhSvZmRu2BWTgPek6nKjxOmlui4ZsMhhKS uU9jUDghQMijeXPNSxx6eUMb0b0FQ43UJaJQR/vK3ogpDq01SCAzYUAA5/N+vqME VSG1YxZDcCV+lbIYWZF8/IJLPVqr0BEeUgWNvWXSLqRBlXebNmbGl5dbL3MCnI9D JkLbpTeKcVjpaot6fgtkLt03Jk72l+MkpVbKABnb8fHOUBLXRkgHOC0VPIrSQ37X iYwvGQsSs8iHTCRyMUtLuJHrN8o2qCxZ7zatp3Pj15UlSpGFDDZkvWY10WfCmjw=3D =3Dy51P -----END PGP SIGNATURE-----