I'm trying to configure my system to allow me to login (ssh) to a local account on a host (Ubuntu 16.04) with public key authentication, even if/when the LDAP server is down.
This is a cloud image, so the user I need locally is ubuntu
. This user doesn't have a password (and I don't want to set one for security). Only public key auth should be allowed on this user.
This user has UID 1001
and all my LDAP users have UID numbers >= 2000.
I've been trying stuff all day (such as pam_succeed_if.so
and pam_localuser
).
Now getent passed ubuntu
works fine and returns the local passwd line. But ssh
refuses like so:
Sep 6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server
Sep 6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: failed to bind to LDAP server ldaps://ldap.domain.tld: Can't contact LDAP server
Sep 6 17:27:43 ip-10-99-0-241 sshd[24895]: nss_ldap: reconnecting to LDAP server...
And then eventually it fails with Authentication failed.
.
/etc/nsswitch.conf
passwd: compat [success=return] ldap group: compat [success=return] ldap shadow: compat [success=return] ldap
/etc/pam.d/common-account
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so # NOTE: These two won't work - fatal: Access denied for user <ldap user> by PAM account configuration [preauth] #account sufficient pam_localuser.so #account sufficient pam_succeed_if.so uid [le sign] 500 quiet account [success=1 default=bad success=ok user_unknown=ignore] pam_ldap.so account requisite pam_deny.so account required pam_permit.so account required pam_krb5.so minimum_uid=2000
/etc/pam.d/common-auth
auth [success=3 default=ignore] pam_krb5.so minimum_uid=2000 ignore_root auth [success=2 default=ignore] pam_unix.so nullok_secure try_first_pass auth [success=1 default=ignore] pam_ldap.so use_first_pass ignore_unknown_user ignore_authinfo_unavail # NOTE: Can't login with this (changed the success above)! #auth requisite pam_succeed_if.so uid [ge sign] 500 quiet auth requisite pam_deny.so auth required pam_permit.so
/etc/ldap.conf
bind_timelimit 10 pam_min_uid 2000 nss_initgroups_ignoreusers ubuntu,local nss_reconnect_tries 2 nss_reconnect_sleeptime 1 nss_reconnect_maxsleeptime 8 nss_reconnect_maxconntries 2
(I tried using the pre and code blocks, but SOF refused to let me post then, so sorry if this looks horrible - if anyone with admin rights can go in and fix, please do.)
Rereading the man page for nsswitch.conf
, gave me this:
return
Key words here is this part: the configuration file does not contain the initgroups line, the next lookup function is always called .
As in, if I added the line
initgroups: files
I can now login to the ubuntu
user, even when the LDAP server is down!
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.