# Need help with pam_ldap and console/SSH logins [SOLVED]

## mocsokmike

I have a working LDAP server, used for Samba authentication. I have all my users here, in LDAP.

I have another server running Samba, configured to use the LDAP backend.

It works.

Now I would like to enable some LDAP users to log in via SSH to the Samba server, and I cannot get this work.

Using getent I see the LDAP users on the other server:

```
getent passwd | grep admin

admin:x:1344:513:System User:/home/users/admin:/bin/bash

getent shadow | grep admin

admin:*:16115::45::::
```

When I try to log in via SSH to the Samba server, using an LDAP user and its correct password I get "access denied" and syslog shows this:

```
error: PAM: Authentication failure for admin from MY_IP

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_IP user=admin
```

When I do the same and type a wrong password, I get this:

```
error: PAM: Authentication failure for admin from MY_IP

pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=MY_IP user=admin

pam_ldap: error trying to bind as user "uid=admin,ou=Users,dc=domain,dc=com" (Invalid credentials)
```

From this I suspect that the LDAP authentication works. Still, I cannot login neither via console, nor via SSH.

Some relevant config files:

/etc/pam.d/system-auth

```
auth            required        pam_env.so

auth            required        pam_unix.so try_first_pass likeauth nullok

auth            sufficient      pam_ldap.so use_first_pass

account         required        pam_unix.so

account         sufficient      pam_ldap.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

password        sufficient      pam_ldap.so use_authtok use_first_pass

session         required        pam_limits.so

session         required        pam_env.so

session         required        pam_unix.so

session         optional        pam_permit.so

#session        required        pam_mkhomedir.so skel=/etc/skel/ umask=0

session         optional        pam_ldap.so
```

/etc/pam.d/sshd

```
auth            include         system-remote-login

account         include         system-remote-login

password        include         system-remote-login

session         include         system-remote-login
```

/etc/pam.d/system-remote-login

```
auth            include         system-login

account         include         system-login

password        include         system-login

session         include         system-login
```

/etc/pam.d/system-login

```
auth            required        pam_tally2.so onerr=succeed

auth            required        pam_shells.so

auth            required        pam_nologin.so

auth            include         system-auth

account         required        pam_access.so

account         required        pam_nologin.so

account         include         system-auth

account         required        pam_tally2.so onerr=succeed

password        include         system-auth

session         optional        pam_loginuid.so

session         required        pam_env.so

session         optional        pam_lastlog.so silent

session         include         system-auth

session         optional        pam_motd.so motd=/etc/motd

session         optional        pam_mail.so
```

I admit I am no expert in PAM. I have a feeling that I made a stupid mistake somewhere, but I cannot find it for hours now. Please help!

----------

## Darknight

I have "sufficient" on your second line of /etc/pam.d/system-auth and ssh works, try.

----------

## mocsokmike

That was it! Thanks a lot!

----------

## Darknight

Essentially, you were requiring that the user existed in both LDAP and the local system.

----------

## mocsokmike

It seems logical to me now.

Now I understand PAM's behavior a bit more, this was a good lesson.

----------

