[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [ossig] single sign-on, SSH, VSFTP trouble

Thank you to all your ideas,

I managed to get vsftpd working and authenticated users via the win2k3
ADS and local user. Harisfazillah you managed to lit the idea. 
Just to share the solution.

replace /etc/pam.d/vsftpd as follows:
=== begin vsftpd ===
auth       required     pam_listfile.so item=user sense=deny
file=/etc/vsftpd.ftpusers onerr=succeed
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
account    required     pam_unix.so
password    required    pam_unix.so
session    required     pam_stack.so service=system-auth
=== end vsftpd ===

I made many changes but resolved that the above is the main solution on
a FC2 with SELINUX turned on. Apart from that it is the firewall
settings. So I suggest trying to get vsftp working without firewall
first. Read the /var/log/messages at each login attempt.

Another thing is to make sure that the krb5 tickets are valid with the
command kinit -5. Worst case is a user not having a valid ticket.

A problem I could not resolve is shown in the /var/log/messages and if
anyone can tell me what is the solution, it is appreciated. It occured
when remotely someone tried to ftp.

nss_ldap: reconnecting to LDAP server...
nss_ldap: could not search LDAP server - Operations error


On Thu, 2005-11-24 at 15:54, Harisfazillah Jamel wrote:
> OK,
> I'm remembered this problem something to do with the PAM.d
> Mine is using Suse Linux 9.1 that used pam_unix2.so for login
> This is inside /etc/security/pam_unix2.conf
> auth:   call_modules=winbind use_ldap
> account:        call_modules=winbind use_ldap
> password:       call_modules=winbind use_ldap
> session:        none
> call_modules=winbind,ldap
> I hope you get the idea.
> On 11/18/05, Nicholas A. Suppiah <nicholas@apiit.edu.my> wrote:
>         Yes,
>         it should show the ADS users list but I keep getting the local
>         passwd
>         list. Kerberos is using krb5 1.3.6 packages.
>         I have run the kinit linuxuser@my.domain.com and it validates
>         the
>         password without problems.
>         Users can access my shares with their own login authenticated
>         from ADS.
>         So, I am still missing something in this puzzle. Will keep
>         looking.
> -- 
> http://linuxdotmy.multiply.com/

To unsubscribe: send mail to ossig-request@mncc.com.my
with "unsubscribe ossig" in the body of the message