Linux Forums - Linux Help,Advice & support community:LinuxSolved.com
Network Troublshooting => Linux Servers Support => Topic started by: tina on April 16, 2010, 06:19:11 AM
-
Hi Dear,
I have configured ldap server on RHEL 5.2. On the client side where I also have Linux, any client is unable to change its password.
Any client can logged in with its password provided by root. but unable to change after logging.
e.g, [lclient] /home/user1 > ldappasswd -x -S user1. or simply using passwd command and ldappasswd command.
Help.....
Tina
-
Try using normal passwd command instead of ldappasswd.
Steps:
1 . Login to the cleint with username
2.passwd { it prompt for old ldap passwd and new one }
Please note that you may get insufficient privilages or " Server is unwilling to perform" error. To get rid of this you try adding following entry on top of /etc/pam.d/passwd file and try changing the passwd again using passwd command.
/etc/pam.d/passwd
password sufficient pam_ldap.so
-
Thanks for reply....
I am using slc-4.6 on client side.just like rhel. I made entry in /etc/pam.d/sshd on client side but it did not work. Following is the problem
[lclient] /ldaphome/client1 > passwd
W: you do not appear to have a valid Kerberos5 TGT and haven't given a username
W: will try to use your current user name 'client1'.
W: if this is wrong or fails, please run "kinit" before trying to change your password
W: or
W: explicitly specify the username, like 'kpasswd username@CERN.CH'
I: New password activation may take up to 30 seconds.
Please provide first your old/current password, then the new password twice.
/usr/kerberos/bin/kpasswd: Cannot resolve network address for KDC in requested realm getting initial ticket
My /etc/pam.d/system-auth file on client side has following entries..
auth required pam_env.so
auth sufficient pam_unix.so
auth sufficient pam_ldap.so likeauth nullok use_first_pass
auth required pam_deny.so
account sufficient pam_unix.so
account sufficient pam_ldap.so use_first_pass
account required pam_deny.so
password required pam_cracklib.so retry=3 minlen=2 dcredit=0 ucredit=0
password sufficient pam_unix.so nullok use_authtok md5 shadow
password sufficient pam_ldap.so
password required pam_deny.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_unix.so
session optional pam_ldap.so
Any suggestions...Thanks in advance
-
This is wierd. Why its asking for kerberos auth? Are you running kerberos intigrated with LDAP? It shouldn't be a case if ony ldap is running. I belive you have kereberos server too otherwise it didn't ask u TGT for kereboros
-
well. I have not configured kerberos on client machine but this is happening on SLC-4.6 flavour.
After that I configured one client machine with RHEL-5.2 and now client is able to change its password.
And I have not made any changes in /etc/pam.d/system-auth or /etc/pam.d/sshd files as well.
What's the problem with SLC-4.6, Let's see....
Any suggestions......... : :)
-
I have naver worked with SLC. Moreover you are able to change the password once you installed RHEL5.2 as you already have the following entry in ur pam configration file.
password sufficient pam_ldap.so
-
Lot of thanks. I am still working on it. If I find any solution, I will post it.
-
Not sure but how you are trying to configure client? Are you doing from authconfig? Make sure to disable TLS/SSL or Kerberos authentication ..
Also check your /etc/nsswitch.conf file
Anyways , share here once you find the sol.
-
ok. SLC has customized its PATH environmental variable. When we use /usr/bin/passwd command form client side, then client is able to change its password while prompting LDAP old password.
-
Ah okay means you have to give absolute(complete) path name rather then relative ?