# PAM/LDAP problem (getent shadow only shows local) [Solved]

## volumen1

I'm trying to debug why my pam_ldap and nss_ldap setup isn't working.  My ldap directory is setup and I can query the directory with ldapsearch all the live long day.  No problem.  I also have system-auth in /etc/pam.d configured properly, I believe.  I say that becuase if I do

```
getent passwd
```

or

```
getent group
```

I can see my entries from LDAP in there.  However a

```
getent shadow
```

 only shows my entries from /etc/shadow

What's odd is that (while I am root) I can su - to one of the ldap users, but I get this error

```
# su - ldapuser

su: Authentication service cannot retrieve authentication info.

(Ignored)

ldapuser@machine ~ $
```

However, when I attempt to SSH as that user, I get the following

```
sshd(pam_unix)[9055]: check pass; user unknown

 sshd(pam_unix)[9055]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host

 sshd[9050]: error: PAM: Authentication service cannot retrieve authentication info. for ldapuser from remote-host
```

If I attempt to SSH as thet same user, only with a wrong password, I see this:

```
sshd(pam_unix)[9087]: check pass; user unknown

sshd(pam_unix)[9087]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remote-host

sshd[9087]: pam_ldap: error trying to bind as user "uid=ldapuser,ou=Users,dc=domain,dc=com" (Invalid credentials)

sshd[9050]: error: PAM: Authentication failure for ldapuser from remote-host

```

I think that "su - ldapuser" when performed as root is working because it doesn't have to check shadow.  Can someone with a working pam/ldap setup tell if me "getent shadow" returns your LDAP user information?  I want to make sure I'm not going down the wrong track here.

----------

## UberLord

 *volumen1 wrote:*   

> 
> 
> I can see my entries from LDAP in there.  However a
> 
> ```
> ...

 

Odd - mine only shows LDAP entries

 *Quote:*   

> 
> 
> What's odd is that (while I am root) I can su - to one of the ldap users, but I get this error
> 
> ```
> ...

 

I get the same error when postfix starts on the LDAP box (I believe it tries to su to the postgres user)

So we have the same error, but the other way around if you will.

However, I can do everything for LDAP users - ssh, mail, etc

----------

## volumen1

Hmm... I like your problem better.  Let's trade!   :Wink: 

Does your "getent passwd" and "getent group" show both LDAP and local?

----------

## UberLord

yes

----------

## volumen1

Ah ha!  I found the problem.  None of my users had the "shadowAccount" object class.  I added it to them and now they show up in "getent shadow".  What's better is that I can now ssh to the box as the ldap user.  Hoo ah!

As to your problem.  I'm wondering (since you are using LDAP as a backend) do you even have an /etc/shadow file?

----------

