LDAP login works via terminal, but doesn't work via GUI [closed] - linux
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 4 years ago.
Improve this question
Please if you could give me some advice of what I'm doing wrong you would make me very happy. I've been struggling with this with no luck and I'm kinda desperate.
I've got a virtual machine with an LDAP Server installed on Windows Xp. It's Apache Directory Studio.
Then I've got another virtual machine with Xubuntu on it. I want it to authenticate to Apache Directory Studio.
The two machines can see each other and do ping correctly.
Server part (Windows XP with Apache Directory Studio LDAP Server):
The server is working great, I did a domain on it dc=mydomain,dc=com with two ou's on it, ou=People and ou=Groups.
Did some posixAccounts and some posixGroup. Chose high uid numbers (2000 onwards) to avoid conflict.
All ok on server side.
Client part (Xubuntu):
Entered as root.
Did:
apt-get install libnss-ldap
Configured ip of my LDAP server (checked it, it's "pingable").
Then entered my domain, for example: dc=mydomain,dc=com.
Then chose the LDAP version my server is running:
Then chose "yes" to "make local root database admin".
Chose "no" to "does the LDAP database require login?".
Then chose the login of the admin of the LDAP Server and it's password. This is 100% confirmed to be true and the actual login, checked it in Apache Directory Studio and verified it many times.
Set the password encryption system to "clear".
Ok, I know that Apache Directory Studio is listening 10389 instead of 389, so I go to /etc/ldap.conf and change manually the port from 389 to 10389 (389 is the default and the GUI doesn't let change you).
Then IT WORKS, but only via terminal, if I do
su testuser
It works, because I got that user ONLY in LDAP server, when I test with other users it doesn't work. The same goes for getent passwd testuser.
Then I want to do graphical login, I close the session, enter credentials and it doesn't work. It works in the terminal, but with GUI don't, oh God, WHY?
PS: Did apt-get install nscd (as worked for someone) but didn't work out for me.
PS2: Thanks in advance for your time and patience, and for considering this question (it is not strict programming question).
PS3: I created the /home/testuser directory, it's not failing because of this, because it still fails to login to LDAP via GUI (but works via terminal).
Your problem is GDM Try following
Automatically create home folders
Just edit /etc/pam.d/common-session by hand and adding the following line before any pam_ldap and pam_krb5 settings:
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
make sure you have gdm entry in /etc/security/group.conf
and following line in /etc/pam.d/gdm
auth optional pam_group.so
For users who login using X /etc/pam.d/gdm has to be modified so GDM will use LDAP.
Something like:
auth sufficient pam_ldap.so
auth required pam_nologin.so
auth required pam_env.so
auth required pam_unix_auth.so
account sufficient pam_ldap.so
account required pam_unix_acct.so
password required pam_ldap.so
session sufficient pam_ldap.so
session required pam_unix_session.so
You should be able to perform a
getent passwd
Form the command line and display if the users are being returned from the LDAP server.
All the users from the /etc/passwd and the users from LDAP should be displayed.
Too late answer but might help others as i got through this.
In the terminal use
sudo nano /etc/pam.d/common-auth
add these lines at the bottom auth required pam_access.so
and in this file sudo nano /etc/security/access.conf
add this line -:ALL EXCEPT root (admin):ALL EXCEPT LOCAL at the bottom
For more info: Authenticate Client Computers Using LDAP
Thanks.
I had a same issue and none of above answers solved it .This are config done by me on Ubuntu 18.04 and on kali as well
Steps we need to follow are as follows
Install libpam-ldap / libnss-ldap
Ubuntu:
apt-get install libpam-ldap
kali Linux:
apt-get install libpam-ldap libnss-ldapd
Configure ldap settings
dpkg-reconfigure libpam-ldap
do all setting as yes and local database creation : yes
base : ou-People,dc=sqtk,dc=team
root dn : dc=admin,dc=sqtk,dc=team
every option asked should be yes (store database on local yes and specify ldap admin username and password )
for database stuff use admin user only
Change /etc/nsswitch.conf to let passwd , group , shadow to use ldap and netgroup to nis
/etc/nsswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
gshadow: files
hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
NOTE : Change netgroup to nis(network information system) this signifies that the groups are also
fetched from netgroup from nis so in below step we do group mapping (My assumption , dont question it, it worked)
Now we can verify whether we can connect to ldap server by using below command
ldapsearch -x -W -D 'cn=ldaptest,ou=People,dc=sqtk,dc=team' -b "" -s base
3.We need to set to create a home dir as soon as users logs in this is achieved by using pam_mkhomedir.so (verify if it is present by doing a find find / -name pam_mkhomedir.so if not present then install it should be present by default)
3.1 Currently when we run command
pam-auth-config
we dont see a option for mkhomedir (make home directory which is neccessary as user logs in)
3.2 to get this option we need to create a file /usr/share/pam-configs/mkhomedir if not present with following content
content :
Name: activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
required pam_mkhomedir.so umask=0022 skel=/etc/skel
3.3 Now if we run command
pam-auth-config
we see option for mkhomedir so we need to select it as well (we select option by using a space on keyboard )
3.4 To verify whether mkhomedir is set we can cat /etc/pam.d/common-session file and see a entry as below (dont edit the file manually try and use pam-auth-update only ) It will have a entry as below
session required pam_mkhomedir.so umask=0022 skel=/etc/skel
ldap domain to group mapping
4.1 we need to do a domain mapping with the ldap group tehnical this mapping is nothing but we mapping ldap group name to group id of ldap in local .
I faced a issue where in i used to get the group id i.e > 500 of ldap group on local system but somehow system was not able to fetch the group name for the given id so i did below config
4.2 To assign local groups to a domain (ldap) user do the following edit /etc/security/group.conf and add something like the following to it
*;*;*;Al0000-2400;audio,cdrom,dialout,floppy
4.3 In order to get the pam_group module working you could create a file like /usr/share/pam-configs/my_groups:
Name: activate /etc/security/group.conf
Default: yes
Priority: 900
Auth-Type: Primary
Auth:
required pam_group.so use_first_pass
Now we activate it by running
pam-auth-update
This roughly equals editing /etc/pam.d/common-auth by hand and adding the following line before any pam_ldap and pam_krb5 settings:
auth required pam_group.so use_first_pass
IMPORTANT # You should now have local groups showing up for users logging in via gdm and ssh and can
# verify this by # executing id or groups.
4.4 Now we need to verify whether we get just the group name and id use below command
getent group
If command doent work or display verify whether you can connect to ldap server
you can also verify whether we can fetch user from ldap by firing below command
getent passwd
id <username in ldap>
Again if anyone of the above commands doesnt perform as accepted then verify whether we can connect to ldap successfully use below command
ldapsearch -x -W -D 'cn=bumbum,ou=People,dc=sqtk,dc=team' -b "" -s base
-W == prompt for password
-D == User to validate
Ldap Group to be given sudo access
Give sudo access to the group that are present on ldap and are make sure user are part of the same group with whom you are login
visudo
% ALL=(ALL) ALL
if group name is ldaptest then below line needs to be added
%ldaptest ALL=(ALL) ALL
You should be able to login from desktop as well as terminal
(Note : for above things to works install libnss-ldapd package for kali Linux only then it works )
Related
pam_mkhomedir.so does not create home directories on CentOs?
I'm configuring a linux cluster (CentOS 7.2) and I'm trying to login against LDAP. My LDAP server is configured and runs correctly, both LDAP users and groups appear when I get the list throw getent passwd / getent group, and logins are possible by SSH with LDAP users. id ldapuser returns the expected ldapuser information. My problem is when I do login, the home directory is not created. I edited the file /etc/pam.d/system-auth to add the following line: session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 but no success. I tried to restart nslcd, the O.S, ... , but nothing worked. I can't see what I am missing... Thanks for your help!
I executed authconfig --enablemkhomedir --update on each machine and it worked
How to secure the default apache karaf installation
Following Christian Schneider's blog post, How to hack into any default apache karaf installation, I checked to see if my default Karaf installation (4.0.5) is insecure: Some simple steps to check if your karaf installations is open. Check the "etc/org.apache.karaf.shell.cfg" for the attribute sshPort. Note this port number. By default it is 8101 Do "ssh -p 8101 karaf#localhost". Like expected it will ask for a password. This may also be dangerous if you do not change the default password but is quite obvious. Now just do bin/client -a 8101. You will get a shell without supplying a password. If this works then your server is vulnerable As expected. It is vulnerable. So I tried to secure it following the instructions as described: How to secure your server? Simply remove the public key of the karaf user in the "etc/keys.properties". Unfortunately this will stop the bin/client command from working. Also make sure you change the password of the karaf user in "etc/users.properties". I shut down the Karaf server using the halt command. Then I changed the karaf password in etc/users.properties and deleted the file etc/keys.properties. Then I started the server again with bin/karaf. Then in a new terminal I tested to see if the installation was secure by trying to ssh into the server. I validated that ssh login now requires the newly configured password. Finally, I tried using the bin/client -a 8101 command. At this point, as explained in the blog post, I expected the command to fail: Unfortunately this will stop the bin/client command from working. I noticed after running bin/client -a 8101 there is a new file etc/host.key that either bin/client or the container itself auto generated. Rather than failing the command succeeded and I was presented with the Karaf console. Does this means the container is still vulnerable to this attack vector?
No. The modifications described in the OP (changing the default password in etc/users.properties and deleting etc/keys.properties) secures the container from that specific attack vector. According to the discussion on the Karaf users mailing list concerning this stack overflow question: By default bin/client tries (in this order) to use: etc/keys.properties etc/users.properties karaf/karaf -u to prompt for the password bin/client is an SSH client (written in Java). The host.key is the same file as for SSH and containing the trusted hosts (you also have .sshkaraf/known_hosts for that). The section quoted from the blog in the OP is out dated: Unfortunately this will stop the bin/client command from working.
Passwordless SSH error while Installing the Big Insight
I am getting below error while installing BigInsight in my Linux machine (RedHat 6.6). Kindly help me how to resolve this. [ERROR] Prerequisite check - Failed to use given credentials to access nodes.Either provide root password during add node or make sure BI admin user exists on new nodes and passwordless ssh is setup from management node to new nodes that are being added. Please revisit Secure Shell page from installer UI or SSH section in response file to make sure all prerequisites are satisfied, then re-run the command.
Execute the following as root on the server and rerun ssh-keygen -t rsa ( leave blanks at all prompts ) cat /root/.ssh/*.pub >> /root/.ssh/authorized_keys then try root#localhost , this should not ask you for a password.
What user will Ansible run my commands as?
Background My question seems simple, but it gets more complex really fast. Basically, I got really tired of maintaining my servers manually (screams in background) and I decided it was time to find a way to make being a server admin much more liveable. That's when I found Ansible. Great huh? Sure beats making bash scripts (louder scream) for everything I wanted to automate. What's the problem? I'm having a lot of trouble figuring out what user my Ansible playbook will run certain things as. I also need the ability to specify what user certain tasks will run as. Here are some specific use cases: Cloning a repo as another user: My purpose with this is it run my node.js webapp from another user, who we'll call bill (that can only use sudo to run a script that I made that starts the node server, as opposed to root or my user that can use sudo for all commands). To do this, I need the ability to have Ansible's git module clone my git repo as bill. How would I do that? Knowing how Ansible will gain root: As far as I understand, you can set what user Ansible will connect to the server you're maintaining by defining 'user' and the beginning of the playbook file. Here's what I don't understand: if I tell it to connect via my username, joe, and ask it to update a package via the apt module, how will it gain root? Sudo usually prompts me for my password, and I'd prefer keeping it that way (for security). Final request I've scoured the Ansible docs, done some (what I thought was thorough) Googling, and generally just tried to figure it out on my own, but this information continues to elude me. I am very new to Ansible, and while it's mostly straight-forwards, I would benefit greatly if I could understand exactly how Ansible runs, on which users it runs, and how/where I can specify what user to use at different times. Thank you tons in advance
You may find it useful to read the Hosts and Users section on Ansible's documentation site: http://docs.ansible.com/playbooks_intro.html#hosts-and-users In summary, ansible will run all commands in a playbook as the user specified in the remote_user variable (assuming you're using ansible >= 1.4, user before that). You can specify this variable on a per-task basis as well, in case a task needs to run as a certain user. Use sudo: true in any playbook/task to use sudo to run it. Use the sudo_user variable to specify a user to sudo to if you don't want to use root. In practice, I've found it easiest to run my playbook as a deploy user that has sudo privileges. I set up my SSH keys so I can SSH into any host as deploy without using a password. This means that I can run my playbook without using a password and even use sudo if I need to. I use this same user to do things like cloning git repos and starting/stopping services. If a service needs to run as a lower-privileged user, I let the init script take care of that. A quick Google search for a node.js init.d script revealed this one for CentOS: https://gist.github.com/nariyu/1211413 Doing things this way helps to keep it simple, which I like. Hope that helps.
My 2 cents: Ansible uses your local user (eg Mike) to ssh to the remote machine. (That required Mike to be able to ssh to the machine) From there it can change to a remote user if needed It can also sudo if needed and if Mike is allowed. If no user is specified then root will be selected via your ~/.ansible.cfg on your local machine. If you supply a remote_user with the sudo param then like no.3 it will not use root but that user. You can specify different situations and different users or sudo via the playbooks. Playbook's define which roles will be run into each machine that belongs to the inventory selected. I suggest you read Ansible best practices for some explanation on how to setup your infrastructure. Oh and btw since you are not referring to a specific module that ansible uses and your question is not related to python, then I don't find any use your question having the python tag.
Just a note that Ansible>=1.9 uses privilege escalation commands so you can execute tasks and create resources as that secondary user if need be: - name: Install software shell: "curl -s get.dangerous_software.install | sudo bash" become_user: root https://ansible-docs.readthedocs.io/zh/stable-2.0/rst/become.html
I notice current answers are a bit old and suffering from link rot. Ansible will SSH as your current user, by default: https://docs.ansible.com/ansible/latest/user_guide/intro_getting_started.html#connecting-to-remote-nodes Ansible communicates with remote machines over the SSH protocol. By default, Ansible uses native OpenSSH and connects to remote machines using your current user name, just as SSH does. This can be overridden using: passing the -u parameter at the command line setting user information in your inventory file setting user information in your configuration file setting environment variables But then you must ensure a route exists to SSH as that user. An approach to maintaining user-level ownership I see more often is become (root) and then to chown -R jdoe:jdoe /the/file/path. In my 2.12 release of ansible I found the only way I could change the user was by specifying become: yes as an option at the play level. That way I am SSHing as the unprivileged, default, user. This user must have passwordless sudo enabled on the remote and is about the safest I could make my VPS. From this I could then switch to another user, with become_user, from an arbitrary command task. Like this: - name: Getting Started gather_facts: false hosts: all become: yes # All tasks that follow will become root. tasks: - name: get the username running the deploy command: echo $USER become_user: trubuntu # From root we can switch to trubuntu. If the user permitted SSH access to your remote is, say, victor, and not your current user, then remote_user: victor has a place at the play level, adjacent to become: yes.
Updating WordPress with SSH (Cent OS)
I am new to SSH and Linux and I hope someone can help. I am working on a site with a dedicated server (VPS) and I am also working with WordPress. I used SSH to log into the site's files with Cyberduck (I've also used FileZilla successfully) and install WordPress on the server. The problem I'm having now is that I can't edit or add any plugins or files on WordPress because WordPress doesn't have access to the site's FTP which is standard. It asks for credentials and when I attempt to enter them into the WordPress dashboard, it doesn't work. There is an option for FTP and there is an option for FTPS (SSL). I know these are different than SSH but I tried the SSH credentials anyway and obviously they didn't work. I then logged into the SSH through Mac Terminal and did the instructions here: 1. Login as root through SSH. 2. Next add the user account you want using the 'useradd' command useradd <username> 3. Now create a special group for that user. groupadd <groupname> 4. Now to add the user to the group gpasswd -a <username> <groupname> 5. Change the group ownership of the special directory to that group. chgrp -R groupname /path/to/your/web/directory 6. Enable write permissions chmod -R g+rw /path/to/your/web/directory And it worked. I was able to add a new user (and I could confirm this by looking at the /etc/passwd file). I then logged out and tried to log in with Cyberduck using the new credentials and setting it to FTP (instead of SSH) and it didn't work. It did however work to log in with SSH with the new user credentials. So it seems I can successfully add a new SSH user but not a new FTP user. I need the user to be FTP so I can hook WordPress up and begin editing. How do I specific the user to be FTP as opposed to SSH? Thanks for any help!
I've found an answer to my question and figured I'd document here for anyone else who runs across this issue. It's surprisingly easy. Just go to this link and download the plug-in: http://wordpress.org/plugins/ssh-sftp-updater-support/ You obviously have to upload this straight into your WordPress directory in the SFTP (/wp-content/plugins) in order for it to work correctly since it won't work from within the WordPress dashboard. Once those files are there, when WordPress prompts you to login to your 'FTP' it will have an option for SSH which you can select and log-in. Voila!