Many things could be going on here. First thoughts: yes, pam.d changes take effect immediately /etc/pam.d/common-session is the best place to set a default umask any pam.d umask would get overridden by any entry in .bashrc, but .bashrc only gets read under certain circumstances (interactive, non-login shell) testfile (711) is very strange how is /home … Read more
Running nslcd in debug mode shows the problem: $ $(which nslcd) -d … nslcd: [8b4567] <authc=”user.name”> DEBUG: myldap_search(base=”dc=sub,dc=example,dc=org”, filter=”(&(objectClass=posixAccount)(uid=user.name))”) … nslcd: [8b4567] <authc=”user.name”> DEBUG: ldap_result(): end of results (0 total) nslcd: [8b4567] <authc=”user.name”> DEBUG: “user.name”: user not found: No such object … nslcd sets a filter by default. It’s not possible to remove this filter … Read more
I wrote my own OpenLDAP overlay called shadowlastchange to update the shadowLastChange attribute whenever an EXOP password change occurs. It is activated in slapd.conf: moduleload smbk5pwd moduleload shadowlastchange … database bdb … overlay smbk5pwd overlay shadowlastchange I have configured smb.conf to change passwords via EXOP: ldap passwd sync = Only Then, for each account, set … Read more
Don’t have reputation to add comments, but to debug PAM auth problems you are looking on the wrong side, you need to do that on server side. To do so ssh into the server and run: sshd -d -D -p 4000 That will start an ssh daemon on port 4000 (-p 4000) with debug enabled … Read more
From what I recall loginwindow:login is actually used in spawning the GUI login window, similar to builtin:policy-banner. So it is logical to be spawned before the rest of the actions. So the GUI window is the one that is actually irrelevant/bypassable, not the credentials themselves. What exactly would you like to modify and towards what … Read more
PAM has the ability to restrict access based on an access control list (at least on Ubuntu) which, like kubanskamac’s answer (+1) regards the groups as posix groups, whether they’re stored in LDAP, /etc/group or NIS. /etc/security/access.conf is the access list file. In my file, I put at the end: -:ALL EXCEPT root sysadmin (ssh-users):ALL … Read more
The /etc/pam.d/system-auth file is used by Red-Hat and like systems to group together common security policies. It is often included in other /etc/pam.d policy files where those common policies are required. When accessing a system via ssh through sshd, the /etc/pam.d/sshd policy file is consulted. This file includes /etc/pam.d/system-auth so your changes to /etc/pam.d/system-auth are … Read more
I am very fond of libpam-ldapd, have been using it for a year now in production on quite a few Ubuntu servers. I can recommend it over libpam-ldap. The project is originally called nss-pam-ldapd and on its homepage you can find a list of its biggest advantages over the old libpam-ldap package. Edit: In conjunction … Read more
Generally, password expiration is used to force users to change their passwords. What it sounds like you want to do is to lock the account, which prevents all login. What I would suggest you do instead is, when you create the account, also set up an at job which will lock the account after four … Read more
You need to enable the user to use cron in the login access control table file /etc/security/access.conf Use the following entry which will allow the coins user to run cron jobs: # Allow the coins user to run cron jobs +: coins : cron crond :0 Ensure it is above the last entry: # Deny … Read more