Search Results

Search found 360 results on 15 pages for 'pam'.

Page 3/15 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • Account Lockout with pam_tally2 in RHEL6

    - by Aaron Copley
    I am using pam_tally2 to lockout accounts after 3 failed logins per policy, however, the connecting user does not receive the error indicating pam_tally2's action. (Via SSH.) I expect to see on the 4th attempt: Account locked due to 3 failed logins No combination of required or requisite or the order in the file seems to help. This is under Red Hat 6, and I am using /etc/pam.d/password-auth. The lockout does work as expected but the user does not receive the error described above. This causes a lot of confusion and frustration as they have no way of knowing why authentication fails when they are sure they are using the correct password. Implementation follows NSA's Guide to the Secure Conguration of Red Hat Enterprise Linux 5. (pg.45) It's my understanding that that only thing changed in PAM is that /etc/pam.d/sshd now includes /etc/pam.d/password-auth instead of system-auth. If locking out accounts after a number of incorrect login attempts is required by your security policy, implement use of pam_tally2.so. To enforce password lockout, add the following to /etc/pam.d/system-auth. First, add to the top of the auth lines: auth required pam_tally2.so deny=5 onerr=fail unlock_time=900 Second, add to the top of the account lines: account required pam_tally2.so EDIT: I get the error message by resetting pam_tally2 during one of the login attempts. user@localhost's password: (bad password) Permission denied, please try again. user@localhost's password: (bad password) Permission denied, please try again. (reset pam_tally2 from another shell) user@localhost's password: (good password) Account locked due to ... Account locked due to ... Last login: ... [user@localhost ~]$

    Read the article

  • Logging on as root without winbind timeouts

    - by Josh Kelley
    How can I set up my Linux box so that, if the Active Directory domain controller is down, I can still log in as root, without any timeouts or delays? Following the example of most of the documentation out there, I've listed pam_winbind.so before pam_unix.so in my /etc/pam.d configurations. I believe that this is the cause of the problem. I remember seeing alternate /etc/pam.d setups that change the order and maybe add either pam_localuser or pam_succeed_if (to see if the uid is less than 500), but I can't find any specifics now (and I'm not enough of an expert in PAM to quickly and easily come up with a robust configuration on my own). What is the recommended setup for PAM with Winbind to avoid timeouts and delays if Active Directory is unavailable?

    Read the article

  • Authenticate by libpam-mysql and libnss-mysql (CentOS)

    - by Chris
    I'm trying to get MySQL to function as a backend for authenticating users on CentOS 6.3. So far I have successfully installed and configured libnss-mysql. I can test this by doing: # groups testuser testuser : sftp Testuser is a member of the sftp group in fact, all MySQL based useraccounts will be hardcoded to it. The sftp group is chrooted and forced to use internal-sftp so they cannot do anything but access their home directory. Then I configured pam-mysql and PAM to allow mysql logins. This also works.. When SELinux is not enforcing. When I do setenforce 1 users can no longer login. Error: Permission denied, please try again. This is my pam_mysql.conf file: users.host=localhost users.db_user=nss-pam-user users.db_passwd=*********** users.database=sftpusers users.table=users users.user_column=username users.password_column=password users.password_crypt=6 verbose=1 My /etc/pam.d/sshd: #%PAM-1.0 auth sufficient pam_sepermit.so auth include password-auth auth required pam_mysql.so config_file=/etc/pam_mysql.conf account sufficient pam_nologin.so account include password-auth account required pam_mysql.so config_file=/etc/pam_mysql.conf password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth And to be complete the contents of some log files.. /var/logs/secure Nov 20 14:52:20 hostname unix_chkpwd[4891]: check pass; user unknown Nov 20 14:52:20 hostname unix_chkpwd[4891]: password check failed for user (testuser) Nov 20 14:52:20 hostname sshd[4880]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.10.107 user=testuser Nov 20 14:52:22 sftpusers sshd[4880]: Failed password for testuser from 192.168.10.107 port 51849 ssh2 /var/logs/audit/audit.log type=USER_AUTH msg=audit(1353420107.070:812): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=pubkey acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed' type=USER_AUTH msg=audit(1353420112.312:813): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="testuser" exe="/usr/sbin/sshd" hostname=192.168.10.107 addr=192.168.10.107 terminal=ssh res=failed' type=USER_AUTH msg=audit(1353420112.456:814): user pid=5285 uid=0 auid=500 ses=24 subj=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=password acct="testuser" exe="/usr/sbin/sshd" hostname=? addr=192.168.10.107 terminal=ssh res=failed' I tried to let audit2why explain the problem but it remains silent even though there are some errors. Does anyone see the problem? Thanks! EDIT: Turns out it's almost working with setenforce 0 I can mkdir foobar but if I do a single ls I get an error: Received message too long 16777216

    Read the article

  • How to grant su access to wheel without asking for password on FreeBSD?

    - by cstamas
    I would like to grant users of the wheel group (other sysadmins) su access without being asked for password. I know how to do it with pam in linux, but the question now is for FreeBSD. I am not familiar with the syntax for FreeBSD's PAM subsystem. What shall I enter in /etc/pam.d/su instead of the default: auth sufficient pam_rootok.so no_warn auth sufficient pam_self.so no_warn auth requisite pam_group.so no_warn group=wheel root_only fail_safe ruser auth include system # account account include system # session session required pam_permit.so

    Read the article

  • login as rsh in rhel 6 without entering password

    - by cartmancakes
    I need to be able to login to a RHEL 6 server using rsh (please don't flame me about security, it's irrelevant in this particular instance) as root without having to enter a password. My procedure for setting this up works great in RHEL 5.x, but does not work in RHEL 6. I suspect this has something to do with PAM, but I'm inexperienced with how to use PAM. Can someone help me with this? /etc/pam.d/rsh auth required pam_rhosts.so auth required pam_nologin.so account include common-account password include common-password session required pam_loginuid.so session include common-session /etc/pam.d/rlogin auth required pam_nologin.so auth [user_unknown=ignore success=ok ignore=ignore auth_err=die default=bad] pam_securetty.so auth sufficient pam_rhosts.so auth include common-auth auth required pam_mail.so account include common-account password include common-password session required pam_loginuid.so session include common-session Thanks!

    Read the article

  • Adding local users / passwords on Kerberized Linux box

    - by Brian
    Right now if I try to add a non-system user not in the university's Kerberos realm I am prompted for a Kerberos password anyway. Obviously there is no password to be entered, so I just press enter and see: passwd: Authentication token manipulation error passwd: password unchanged Typing passwd newuser has the same issue with the same message. I tried using pwconv in the hopes that only a shadow entry was needed, but it changed nothing. I want to be able to add a local user not in the realm and give them a local password without being bothered about Kerberos. I am on Ubuntu 10.04. Here are my /etc/pam.d/common-* files (the defaults that Ubuntu's pam-auth-update package generates): account # here are the per-package modules (the "Primary" block) account [success=1 new_authtok_reqd=done default=ignore] pam_unix.so # here's the fallback if no module succeeds account requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around account required pam_permit.so # and here are more per-package modules (the "Additional" block) account required pam_krb5.so minimum_uid=1000 # end of pam-auth-update config auth # here are the per-package modules (the "Primary" block) auth [success=2 default=ignore] pam_krb5.so minimum_uid=1000 auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass # here's the fallback if no module succeeds auth requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around auth required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config password # here are the per-package modules (the "Primary" block) password requisite pam_krb5.so minimum_uid=1000 password [success=1 default=ignore] pam_unix.so obscure use_authtok try_first_pass sha512 # here's the fallback if no module succeeds password requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password required pam_permit.so # and here are more per-package modules (the "Additional" block) # end of pam-auth-update config session # here are the per-package modules (the "Primary" block) session [default=1] pam_permit.so # here's the fallback if no module succeeds session requisite pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around session required pam_permit.so # and here are more per-package modules (the "Additional" block) session optional pam_krb5.so minimum_uid=1000 session required pam_unix.so # end of pam-auth-update config

    Read the article

  • OpenLDAP PAM authen does not support SSHA on FreeBSD10

    - by suker200
    OpenLDAP PAM authen does not support SSHA? Hi everyone, Now, I lost one day to figure out, the reason my FreeBSD10 can not authenticate SSH user via LDAP because pam_ldap and nss_ldap do not support SSHA password when OpenLDAP support SSHA method. I have checked /usr/local/etc/ldap.conf, they just have these pam_password methods: clear, crypt, nds, racf, ad, exop. So, If I switch to CRYPT, I can authenticate successfully. So, IMHO, I will be very appreciative for any point or suggestion from everyone to make my FreeBSD10 PAM support SSHA, is there any way or can not? Infor: Ldap Server (389 DS - Centos) - Ldap client (FreeBSD10) what I have got: authen via Ldap between Centos - Centos (Okie). Centos (Ldap Server) - FreeBSD failed (work if I using crypt) Thank and BR Suker200

    Read the article

  • Solaris 11.1 smb share pam.conf

    - by websta
    I would like to enable an SMB share on Solaris 11.1 x64 My steps: pkg install service/filesystem/smb svcadm enable -r smb/server echo "other password required pam_smb_passwd.so.1 nowarn" >> /etc/pam.conf useradd public smbadm enable-user public zfs set share=name=fs1,path=/rpool/fs1,prot=smb rpool/fs1 zfs set sharesmb=on rpool/fs1 passwd -r files public Step 8 failes: It is not possible to enter a password, output is: solaris passwd -r files public Please try again Please try again Permission denied If I uncomment the new line in pam.conf, it is possible to change the password. Nevertheless, it is not possible to access the share from Windows 7. The Solaris machine is reachable with ping. Access with another SMB enabled user is denied too.

    Read the article

  • NFS users getting a laggy GUI expierence

    - by elzilrac
    I am setting up a system (ubuntu 12.04) that uses ldap, pam, and autofs to load users and their home folders from a remote server. One of the options for login is sitting down at the machine and starting a GUI session. Programs such as chormium (browser) that preform many read/write operations in the ~/.cache and ~/.config files are slowing down the GUI experience as well as putting strain of the NFS server that is causing other users to have problems. Ubuntu had the handy-dandy XDG_CONFIG_HOME and XDG_CACHE_HOME variables that can be set to change the default location of .cache and .config from the home folder to somewhere else. There are several places to set them, but most of them are not optimal. /etc/environment pros: will work across all shells cons: cannot use variables like $USER so that you can't make users have different new locations for .cache and .config. Every users' new location would be the same directory. /etc/bash.bashrc pros: $USER works, so you can place them in different folders cons: only gets run for bash compatible shells ~/.pam_environment pros: works regardless of shell cons: cannot use system variables (like $USER), has it's own syntax, and has to be created for every user

    Read the article

  • vsftpd with pam_winbind.so

    - by David
    I'm trying to setup vsftpd to use logins from our domain. I want the ftp users to be able to login using their active directory username/password and have be able to have full access to /media/storage/ftp/username. I setup pptp using winbind and it is working fine, so I belive the issue is with vsftpd and pam. The ftp server runs and gives 530 for the login. I turned on debug for the pam module, but I see nothing in the syslog. Vsftp only logs a wrong login in its log. /etc/pam.d/vsftpd auth required pam_winbind.so debug /etc/vsftpd.conf listen=YES listen_ipv6=NO connect_from_port_20=YES anonymous_enable=NO local_enable=YES write_enable=YES xferlog_enable=YES idle_session_timeout=600 data_connection_timeout=120 nopriv_user=ftp ftpd_banner=Welcome to Scantiva! Authorized access only! local_umask=022 local_root=/media/storage/ftp/$USER user_sub_token=$USER chroot_local_user=YES secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd guest_enable=YES guest_username=ftp ssl_enable=YES allow_anon_ssl=NO force_local_data_ssl=NO force_local_logins_ssl=NO ssl_tlsv1=YES ssl_sslv2=YES ssl_sslv3=YES rsa_cert_file=/etc/ssl/private/vsftpd.pem

    Read the article

  • sudo taking long time

    - by Sam
    On a Ubuntu 9 64bit Linux machine, sudo takes longer time to start. "sudo echo hi" takes 2-3 minutes. strace on sudo tells poll("/etc/pam.d/system-auth", POLLIN) timesout after 5 seconds and there are multiple calls(may be a loop) to same system call (which causes 2-3min delay). Any idea why sudo has to wait for /etc/pam.d/system-auth? Any tunable to make sudo to timeout faster? Thanks Samuel

    Read the article

  • Linux with winbind, disable local users while AD is available?

    - by Salkin
    Routers and switches with RADIUS authentication can be configured such that login is disabled for locally configured users as long as the RADIUS server is available. If the RADIUS server becomes unavailable, they fall back to allowing login as a locally configured user. Is it possible to achieve the same effect with Linux machines using winbind to authenticate Active Directory users? I have a feeling it could be done with the right PAM configuration, but I'm not very far along on the PAM learning curve...

    Read the article

  • Ubuntu 12.04 // Likewise Open // Unable to ever authenticate AD users

    - by Rob
    So Ubuntu 12.04, Likewise latest from the beyondtrust website. Joins domain fine. Gets proper information from lw-get-status. Can use lw-find-user-by-name to retrieve/locate users. Can use lw-enum-users to get all users. Attempting to login with an AD user via SSH generates the following errors in the auth.log file: Nov 28 19:15:45 hostname sshd[2745]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory Nov 28 19:15:45 hostname sshd[2745]: PAM adding faulty module: pam_winbind.so Nov 28 19:15:51 hostname sshd[2745]: error: PAM: Authentication service cannot retrieve authentication info for DOMAIN\\user.name from remote.hostname Nov 28 19:16:06 hostname sshd[2745]: Connection closed by 10.1.1.84 [preauth] Attempting to login via the LightDM itself generates similar errors in the auth.log file. Nov 28 19:19:29 hostname lightdm: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory Nov 28 19:19:29 hostname lightdm: PAM adding faulty module: pam_winbind.so Nov 28 19:19:47 hostname lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "DOMAIN\user.name" Nov 28 19:19:52 hostname lightdm: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:DOMAIN\user.name][error code:40022] Nov 28 19:19:54 hostname lightdm: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory Nov 28 19:19:54 hostname lightdm: PAM adding faulty module: pam_winbind.so Attempting to login via a console on the system itself generates slightly different errors: Nov 28 19:31:09 hostname login[997]: PAM unable to dlopen(pam_winbind.so): /lib/security/pam_winbind.so: cannot open shared object file: No such file or directory Nov 28 19:31:09 hostname login[997]: PAM adding faulty module: pam_winbind.so Nov 28 19:31:11 hostname login[997]: [lsass-pam] [module:pam_lsass]pam_sm_authenticate error [login:DOMAIN\user.name][error code:40022] Nov 28 19:31:14 hostname login[997]: FAILED LOGIN (1) on '/dev/tty2' FOR 'DOMAIN\user.name', Authentication service cannot retrieve authentication info Nov 28 19:31:31 hostname login[997]: FAILED LOGIN (2) on '/dev/tty2' FOR 'DOMAIN\user.name', Authentication service cannot retrieve authentication info I am baffled. The errors obviously are correct, the file /lib/security/pam_winbind.so does not exist. If its a dependancy/required, surely it should be part of the package? I've installed/reinstalled, I've used the downloaded package from the beyondtrust website, i've used the repository, nothing seems to work, every method of installing this application generates the same errors for me. UPDATE : Hrmm, I thought likewise didn't use native winbind but its own modules. Installing winbind from apt-get uninstalls pbis-open (likewise) and generates failures when installing if pbis-open is installed first. Uninstalled winbind, reinstalled pbis-open, same issue as above. The file pam_winbind.so does not exist in that location. Setting up pbis-open-legacy (7.0.1.918) ... Installing Packages was successful This computer is joined to DOMAIN.LOCAL New libraries and configurations have been installed for PAM and NSS. Clearly it thinks it has installed it, but it hasn't. It may be a legacy issue with the previous attempt to configure domain integration manually with winbind. Does anyone have a working likewise-open installation and does the /etc/nsswitch.conf include references to winbind? Or do the /etc/pam.d/common-account or /etc/pam.d/common-password reference pam_winbind.so? I'm unsure if those entries are just legacy or setup by likewise. UPDATE 2 : Complete reinstall of OS fixed it and it worked seamlessly, like it was meant to and those 2 PAM files did NOT include entries for pam_winbind.so, so that was the underlying problem. Thanks for the assist.

    Read the article

  • vsftp login errors 530 login incorrect

    - by mcktimo
    Using Ubuntu 10.04 on an aws ec2 instance. I was happy just using ssh but then a wordpress plugin needs ftp access...I just need ftp access for one site www.sitebuilt.net which is in /home/sitebuil. I installed a vftpd and pam and followed suggestions that got me to the following state /etc/vftpd.conf listen=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES xferlog_file=/var/log/vsftpd.log secure_chroot_dir=/var/run/vsftpd/empty pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem guest_enable=YES user_sub_token=$USER local_root=/home/$USER chroot_local_user=YES hide_ids=YES check_shell=NO userlist_file=/etc/vsftpd_users /etc/pam.d/vsftpd # Standard behaviour for ftpd(8). auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed # Note: vsftpd handles anonymous logins on its own. Do not enable pam_ftp.so. # Standard pam includes @include common-account @include common-session @include common-auth auth required pam_shells.so # Customized login using htpasswd file auth required pam_pwdfile.so pwdfile /etc/vsftpd/passwd account required pam_permit.so session optional pam_keyinit.so force revoke auth include system-auth account include system-auth session include system-auth session required pam_loginuid.so /etc/vsftpd_users sitebuil tim /etc/passwd ... sitebuil:x:1002:100:sitebuilt systems:/home/sitebuil:/bin/sh ftp:x:108:113:ftp daemon,,,:/srv/ftp:/sbin/nologin /etc/vsftpd/passwd sitebuil:Kzencryptedpwd /var/log/vftpd.log Wed Feb 29 15:15:48 2012 [pid 20084] CONNECT: Client "98.217.196.12" Wed Feb 29 15:16:02 2012 [pid 20083] [sitebuil] FAIL LOGIN: Client "98.217.196.12" Wed Feb 29 16:12:33 2012 [pid 20652] CONNECT: Client "98.217.196.12" Wed Feb 29 16:12:45 2012 [pid 20651] [sitebuil] FAIL LOGIN: Client "98.217.196.12"

    Read the article

  • Postfix SASL Authentication using PAM_Python

    - by Christian Joudrey
    Cross-post from: http://stackoverflow.com/questions/4337995/postfix-sasl-authentication-using-pam-python Hey guys, I just set up a Postfix server in Ubuntu and I want to add SASL authentication using PAM_Python. I've compiled pam_python.so and made sure that it is in /lib/security. I've also added created the /etc/pam.d/smtp file and added: auth required pam_python.so test.py The test.py file has been placed in /lib/security and contains: # # Duplicates pam_permit.c # DEFAULT_USER = "nobody" def pam_sm_authenticate(pamh, flags, argv): try: user = pamh.get_user(None) except pamh.exception, e: return e.pam_result if user == None: pam.user = DEFAULT_USER return pamh.PAM_SUCCESS def pam_sm_setcred(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_acct_mgmt(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_open_session(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_close_session(pamh, flags, argv): return pamh.PAM_SUCCESS def pam_sm_chauthtok(pamh, flags, argv): return pamh.PAM_SUCCESS When I test the authentication using auth plain amltbXkAamltbXkAcmVhbC1zZWNyZXQ= I get the following response: 535 5.7.8 Error: authentication failed: no mechanism available In the postfix logs I have this: Dec 2 00:37:19 duo postfix/smtpd[16487]: warning: SASL authentication problem: unknown password verifier Dec 2 00:37:19 duo postfix/smtpd[16487]: warning: SASL authentication failure: Password verification failed Dec 2 00:37:19 duo postfix/smtpd[16487]: warning: localhost.localdomain[127.0.0.1]: SASL plain authentication failed: no mechanism available Any ideas? tl;dr Anyone have step by step instructions on how to set up PAM_Python with Postfix? Christian

    Read the article

  • Folder permissions when using /etc/skel and pam

    - by rothgar
    I have a Red Hat 5.8 server that is bound to active directory and users are authenticated via active directory when they log in via sftp. User home folders are created during login using /etc/pam.d/system-auth. The specific line that creates the home folder is session optional pam_mkhomedir.so skel=/etc/skel/ umask=0066 This correctly gives home folders 711 permissions so no one else can read their directories. The problem is, the pam_mkhomedir.so also modifies permissions on all folders/files inside the /etc/skel folder which I don't want. There is a public_html folder (for apache) which needs to have 755 permissions so users can create web pages. Is there a way for me to either a) stop pam_mkhomedir.so from recursively changing all the file permissions or b) create a script that creates the public_html folder after skel is copied and to set the correct permissions?

    Read the article

  • Error getting PAM / Linux integrated with Active Directory

    - by topper
    I'm trying to add a Linux server to a network which is controlled by AD. The aim is that users of the server will be able to authenticate against the AD domain. I have Kerberos working, but NSS / PAM are more problematic. I'm trying to debug with a simple command such as the following, please see the error. Can anyone assist me to debug? root@antonyg04:~# ldapsearch -H ldap://raadc04.corp.MUNGED.com/ -x -D "cn=MUNGED,ou=Users,dc=corp,dc=MUNGED,dc=com" -W uid=MUNGED Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece I have had to munge some details, but I can tell you that cn=MUNGED is my username for logging into the AD domain, and the password that I typed was the password for said domain. I don't know why it says "Invalid credentials", and the rest of the error is so cryptic, I have no idea. Is my approach somehow flawed? Is my DN obviously wrong? How can I confirm the correct DN? There was a tool online but I can't find it. NB I have no access to the AD Server for administration or configuration.

    Read the article

  • Desktop login fails, terminal works

    - by Tobias
    I have a freshly setup 12.04 LTS pc system (120 GB SSD, 1 TB HDD, 16 GiB RAM); since a few days, I can't login to the graphical desktop anymore: there is very short flashing shell window which disappears very quickly, and I'm confronted with the login screen again. I believe there is something about modprobe and vbox, but I can't read it fast enough ... I can login to a terminal (Ctrl+Alt+F1). It did not help to chown all contents of my home directory to me:my-group, like suggested here. This is what I could find in /var/log, grepping for the date and time (I inserted linebreaks after <my-hostname>; real time values preserved): auth.log: <date> 22:43:01 <my-hostname> lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "tobias" <date> 22:43:08 <my-hostname> lightdm: pam_unix(lightdm:session): session closed for user lightdm <date> 22:43:08 <my-hostname> lightdm: pam_unix(lightdm:session): session opened for user tobias by (uid=0) <date> 22:43:08 <my-hostname> lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0 <date> 22:43:08 <my-hostname> lightdm: pam_unix(lightdm:session): session closed for user tobias <date> 22:43:09 <my-hostname> lightdm: pam_unix(lightdm:session): session opened for user lightdm by (uid=0) <date> 22:43:09 <my-hostname> lightdm: pam_ck_connector(lightdm:session): nox11 mode, ignoring PAM_TTY :0 <date> 22:43:10 <my-hostname> lightdm: pam_succeed_if(lightdm:auth): requirement "user ingroup nopasswdlogin" not met by user "tobias" <date> 22:43:10 <my-hostname> dbus[756]: [system] Rejected send message, 2 matched rules; type="method_call", sender="1:43" (uid=104 pid=1639 comm="/usr/lib/indicator-datetime/indicator-datetime-ser") interface="org.freedesktop.DBus.Properties" member="GetAll" error name="(unset)" requested_reply="0" destination=":1.15" (uid=0 pid=1005 comm="/usr/sbin/console-kit-daemon --no-daemon ") kern.log: <date> 22:43:00 <my-hostname> kernel: [ 16.084525] eth0: no IPv6 routers present syslog: <date> 22:43:00 <my-hostname> kernel: [ 16.084525] eth0: no IPv6 routers present <date> 22:43:01 <my-hostname> ntpdate[1492]: adjust time server 91.189.94.4 offset -0.162831 sec <date> 22:43:08 <my-hostname> acpid: client 969[0:0] has disconnected <date> 22:43:08 <my-hostname> acpid: client connected from 1553[0:0] <date> 22:43:08 <my-hostname> acpid: 1 client rule loaded I have Virtualbox and Truecrypt installed, but I can't think of a reason why they might prevent a graphical login. I'm confused: What is this about requirement "user ingroup nopasswdlogin" not met? I do login using a password, and the password works ok when logging in to a terminal! Can I somehow read the error output, e.g. by delaying it, redirecting it to a file, or having the system prompt me for pressing a key? Has possibly any recent update caused my problem? Should I install the pending updates? How, btw, without access to the graphical UI? I have some working knowledge about the Linux shell, but I'm new to Ubuntu. Any help would be appreciated.

    Read the article

  • Setup for mounting kerberized nfs home directory - gssd not finding valid kerberos ticket

    - by janm
    Our home directories are exported via kerberized nfs, so the user needs a valid kerberos ticket to be able to mount its home. This setup works fine with our existing clients & server. Now we want to add some 11.10 client and thus set up ldap & kerberos together with pam_mount. The ldap authentication works and users can login via ssh, however their homes can not be mounted. When pam_mount is configured to mount as root, gssd does not find a valid kerberos ticket and the mount fails. Nov 22 17:34:26 zelda rpc.gssd[929]: handle_gssd_upcall: 'mech=krb5 uid=0 enctypes=18,17,16,23,3,1,2 ' Nov 22 17:34:26 zelda rpc.gssd[929]: handling krb5 upcall (/var/lib/nfs/rpc_pipefs/nfs/clnt2) Nov 22 17:34:26 zelda rpc.gssd[929]: process_krb5_upcall: service is '<null>' Nov 22 17:34:26 zelda rpc.gssd[929]: getting credentials for client with uid 0 for server purple.physcip.uni-stuttgart.de Nov 22 17:34:26 zelda rpc.gssd[929]: CC file '/tmp/krb5cc_65678_Ku2226' being considered, with preferred realm 'PURPLE.PHYSCIP.UNI-STUTTGART.DE' Nov 22 17:34:26 zelda rpc.gssd[929]: CC file '/tmp/krb5cc_65678_Ku2226' owned by 65678, not 0 Nov 22 17:34:26 zelda rpc.gssd[929]: WARNING: Failed to create krb5 context for user with uid 0 for server purple.physcip.uni-stuttgart.de Nov 22 17:34:26 zelda rpc.gssd[929]: doing error downfall When pam_mount is on the other hand configured with the noroot=1 option, then it cannot mount the volume at all. Nov 22 17:33:58 zelda sshd[2226]: pam_krb5(sshd:auth): user phy65678 authenticated as [email protected] Nov 22 17:33:58 zelda sshd[2226]: Accepted password for phy65678 from 129.69.74.20 port 51875 ssh2 Nov 22 17:33:58 zelda sshd[2226]: pam_unix(sshd:session): session opened for user phy65678 by (uid=0) Nov 22 17:33:58 zelda sshd[2226]: pam_mount(mount.c:69): Messages from underlying mount program: Nov 22 17:33:58 zelda sshd[2226]: pam_mount(mount.c:73): mount: only root can do that Nov 22 17:33:58 zelda sshd[2226]: pam_mount(pam_mount.c:521): mount of /Volumes/home/phy65678 failed So how can we allow users of a specific group to perform nfs mounts? If this does not work, can we make pam_mount use root but pass the correct uid?

    Read the article

  • What are the common pitfalls that would stop Authorised Key SSH access, and how do I find and correct for them?

    - by Ashimema
    EDIT: This question was reworked to make it more useful to the community and less specific to me. Questions seem to come up reasonably often regarding ssh and problems with authorised keys access, but very few seem to have a clear answer anywhere; Server keeps asking for password after I've copied my SSH Public Key to authorized_keys ssh not accepting public key how do I use ssh with key access in 11.10 passwordless ssh not working So, In the communities opinion, what is the tried and tested method for getting to the bottom of such problems?

    Read the article

  • How to mount private network shares on login?

    - by bainorama
    I've read all the existing entries I could find on using pam_mount but none of them seem to work for me. I'm trying to automatically mount shares on my local NAS at user login time. The usernames and passwords on my NAS shares match my local user name and password, but there is no LDAP/AD server. My pam_mount.conf has the following: <volume fstype="cifs" server="bain-brain" path="movies" user="*" sgrp="bains" mountpoint="/home/%(USER)/movies" options="user=%(USER),dir_mode=0700,file_mode=700,nosuid,nodev" /> When I login, I see the following in /var/log/auth.log: Oct 13 10:21:26 bad-lattitude lightdm: pam_mount(misc.c:380): 29 20 0:20 / /home/alastairb/movies rw,nosuid,nodev,relatime - cifs //bain-brain/movies rw,sec=ntlm,unc=\\bain-brain\movies,username=alastairb,uid=1000,forceuid,gid=1000,forcegid,addr=10.1.1.12,file_mode=01274,dir_mode=0700,nounix,serverino,rsize=61440,wsize=65536,actimeo=1 The folder /home/alastairb/movies is present but empty (can't see the files which are on the NAS in the respective share folder). In Nautilus, the share is shown in the sidebar under "Computer", and clicking on this takes me to the correct folder, but again, its empty. Any ideas as to what I'm doing wrong?

    Read the article

  • FreeBSD 8.2 + Apache 2.2 + mod_auth_pam2: unable to authenticate

    - by zneak
    I've installed Apache 2.2 and mod_auth_pam2 from ports, but I can't get local UNIX authentication to work. When I access the protected part of my local website, I do get the authentication request, and with pam_permit.so, it works. However, when I change pam_permit.so to the real thing, pam_unix.so, I get this message in httpd-error.log: [error] PAM: user 'foo' - not authenticated: authentication error This is the relevant part of my Apache config, though I don't think it's the problem as it works with pam_permit.so: <Location /foo> AuthBasicAuthoritative Off AuthPAM_Enabled on AuthPAM_FallThrough off AuthType Basic AuthName "Secret place" Require valid-user </Location> This is my /etc/pam.d/httpd, though I don't think it's the problem either, since it works with pam_permit.so: auth required pam_unix.so account required pam_unix.so So what am I missing? What does it take to have pam_unix.so work for httpd under FreeBSD?

    Read the article

  • Make user home directory at gdm login

    - by Lorenzo
    I'm trying to make home directory at (RADIUS) user gdm login. The auth is working right, but when I try gdm says that the user hasn't a home directory. I tried to do that with pam_mkhomedir.so but is not working. My /etc/pam.d/gdm file: PAM-1.0 auth sufficient pam_radius_auth.so auth sufficient pam_nologin.so auth sufficient pam_env.so readenv=1 auth sufficient pam_env.so readenv=1 envfile=/etc/default/locale auth sufficient pam_succeed_if.so @include common-auth auth optional pam_gnome_keyring.so account sufficient pam_radius_auth.so @include common-account session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close session optional pam_limits.so @include common-session session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open session optional pam_gnome_keyring.so auto_start session required pam_mkhomedir.so skel=/etc/skel umask=0022 @include common-password Thanks

    Read the article

  • Linux (Ubuntu) USB Auth

    - by themicahmachine
    I want to be able to authenticate with PAM using a USB drive with a file on it. I've read about how to do this with a PAM module that reads the specific USB hardware ID of a device, but if the device malfunctions or is lost, there would be no way to authenticate. I would prefer to use the method BitLocker uses, requiring a particular file to be found on the drive in order to authenticate. That way I can keep another drive in a secure location as a backup. Any other suggestions are welcome. I just want to require a higher level of security that just a password.

    Read the article

  • VsFTPd - pam_mkhomedir

    - by Totor
    I am trying to set up a FTP server that authenticates against an LDAP server. This part is done and works. My server is VsFTPd on Ubuntu Server 11.04. But I have to create the home directories for my LDAP users. I am trying to user the pam_mkhomedir module but it is not working: when I add its line to the /etc/pam.d/vsftpd file, my users can not login anymore to the FTP server. The problem is that I have very few information on what is wrong. VsFTPd just responds 530: login incorrect and I could not find a way to get debug or error messages from pam_mkhomedir. Here are my different configuration files. The /etc/pam.d/vsftpd file: auth required pam_listfile.so item=user sense=deny file=/etc/ftpusers onerr=succeed auth required pam_ldap.so account required pam_ldap.so password required pam_ldap.so session optional pam_mkhomedir.so skel=/home/skel debug The /etc/vsftpd.conf file: listen=YES anonymous_enable=NO local_enable=YES write_enable=YES dirmessage_enable=YES use_localtime=YES xferlog_enable=YES connect_from_port_20=YES pam_service_name=vsftpd rsa_cert_file=/etc/ssl/private/vsftpd.pem guest_enable=YES session_support=YES log_ftp_protocol=YES tcp_wrappers=YES Permissions on /home and /home/skel: root@ftp:/home# ls -al total 16 drwxrwxrwx 4 root root 4096 2011-10-11 21:19 . drwxr-xr-x 21 root root 4096 2011-09-27 13:32 .. drwxrwxrwx 2 root root 4096 2011-10-11 19:34 skel drwxrwxrwx 5 foo foo 4096 2011-10-11 21:11 foo root@ftp:/home# ls -al skel/ total 16 drwxrwxrwx 2 root root 4096 2011-10-11 19:34 . drwxrwxrwx 4 root root 4096 2011-10-11 21:19 .. -rwxrwxrwx 1 root root 3352 2011-10-11 19:34 .bashrc -rwxrwxrwx 1 root root 675 2011-10-11 19:34 .profile Yes, I know, permissions are not properly set but security is not the issue here: I first need to get it to work. So, to recapitulate: without pam_mkhomedir my LDAP users can login, but they cannot do anything because they are in an empty chrooted jail. If I add pam_mkhomedir, they cannot login anymore. If anyone has an idea why, or know how to get more information from logs, I would be very grateful, thanks.

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >