# [SOLVED] pam_ldap and sshd/postgresql problem

## qubix

Hi

I've setup a nice NT domain server using gentoo+samba+openldap with net-nds/smbldap-tools.

Users can logon from windows, change their passwords, roaming profiles work, everything is nice.

Since i've got openldap set up, i wanted to use it some more. The problem is that not all of the users can log onto sshd and postgresql on the server. Both apps use PAM as their backend. In Postgresql's pg_hba.conf i've got:

```

host    gpm2007     all         192.168.0.0/24         pam system-auth

```

my /etc/pam.d/system-auth is as follows:

```

auth       required     pam_env.so debug

auth       sufficient   pam_unix.so likeauth nullok debug

auth       sufficient   pam_ldap.so use_first_pass debug

auth       required     pam_deny.so

account    sufficient   pam_ldap.so debug

account    required     pam_unix.so debug

password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 debug

password   sufficient   pam_ldap.so use_authtok use_first_pass debug

password   required     pam_unix.so nullok md5 shadow use_authtok debug

password   required     pam_deny.so

session    required     pam_limits.so debug

session    required     pam_unix.so debug

session    optional     pam_ldap.so debug

```

The problem is, that user "kulesza" can log on to sshd and postgres, and marlena cannot. Both have very similar openldap contents, and i can see no difference that would explain the strange behaviour:

```

togusa ~ # smbldap-usershow marlena

dn: uid=marlena,ou=Users,dc=XXX,dc=pl

objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount

cn: Marlena XXX

sn: marlena

uid: marlena

uidNumber: 1042

gidNumber: 513

homeDirectory: /home/marlena

loginShell: /bin/bash

gecos: Marlena XXX

description: Marlena XXX

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

displayName: Marlena Demianska-Plewa

sambaSID: S-1-5-21-4205727931-XXX-1851132061-3084

sambaPrimaryGroupSID: S-1-5-21-4205727931-XXX-1851132061-513

sambaLogonScript: logon.bat

sambaProfilePath: \\TOGUSA\profiles\marlena

sambaHomePath: \\TOGUSA\marlena

sambaHomeDrive: H:

sambaAcctFlags: [U]

userPassword: {MD5}XXX

sambaPwdMustChange: 2147483647

sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000

sambaPwdCanChange: 1199260351

sambaLMPassword: XXX

sambaNTPassword: XXX

sambaPwdLastSet: 1199260351

togusa ~ # smbldap-usershow kulesza

dn: uid=kulesza,ou=Users,dc=XXX,dc=pl

objectClass: top,inetOrgPerson,posixAccount,shadowAccount,sambaSamAccount

cn: XXX Kulesza

sn: kulesza

uid: kulesza

uidNumber: 1013

gidNumber: 513

homeDirectory: /home/kulesza

loginShell: /bin/bash

gecos: XXX Kulesza

description: XXX Kulesza

sambaLogonTime: 0

sambaLogoffTime: 2147483647

sambaKickoffTime: 2147483647

displayName: Jerzy Kulesza

sambaSID: S-1-5-21-4205727931-XXX-1851132061-3026

sambaPrimaryGroupSID: S-1-5-21-4205727931-XXX-1851132061-513

sambaLogonScript: logon.bat

sambaProfilePath: \\TOGUSA\profiles\kulesza

sambaHomePath: \\TOGUSA\kulesza

sambaHomeDrive: H:

sambaPwdCanChange: 1198757603

sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000

sambaLMPassword: XXX

sambaAcctFlags: [U]

sambaNTPassword: XX

sambaPwdLastSet: 1199179970

sambaPwdMustChange: 1203067970

userPassword: {MD5}XXX

```

i've replaced some of the data in the dumps with XXX.

The results in /var/log/everything/current are:

```

Jan  3 09:13:30 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=kulesza

Jan  3 09:13:30 [sshd] Accepted keyboard-interactive/pam for kulesza from 127.0.0.1 port 43823 ssh2

Jan  3 09:13:30 [sshd(pam_unix)] session opened for user kulesza by (uid=0)

(and the user is logged on ssh)

Jan  3 09:13:45 [sshd(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost  user=marlena

Jan  3 09:13:45 [sshd] pam_ldap: error trying to bind as user "uid=marlena,ou=Users,dc=XXX,dc=pl" (Invalid credentials)

Jan  3 09:13:46 [sshd] error: PAM: Authentication failure for marlena from localhost

(and although i provide a correct password, the user cannot logon)

```

Passwords in both cases were set up using windows ctrl-alt-del -> change password.

Any suggestions? Maybe i could post some more dumps that would put some more light on the case?

----------

## qubix

Got it solved out. Maybe someone googles it some day in the future...

The problem was, that for some reason, some of the OpenLdap UserPassword attributes were hashed with MD5 and some with SSHA. The ones that had SSHA worked well, the ones with MD5 did not. I have reconfigured smbldap-tools to always store passwords with SSHA hashing and it works now.

Took me two bloody months to figure that out... i guess i'm getting old.

----------

