I need to get inside pam to find out why dovecot (which authenticates with pam) is causing problems for an account. Basically the account is being told it has expired, and I have no idea how to change this. I think pam uses ldap from what the old admin has passed on to me, however his english is difficult to read.
I have worked out the console based ldap administration tools well, and I simply don't see any data that could be used to set an expiry. It might be more complicated.
I know nothing about pam!
Code: Select all
[root@pusa3 ~]# cat /etc/pam.d/dovecot
#%PAM-1.0
auth required pam_nologin.so
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
Code: Select all
[root@pusa3 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/$ISA/pam_env.so
auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
auth required /lib/security/$ISA/pam_deny.so
account required /lib/security/$ISA/pam_unix.so broken_shadow
account sufficient /lib/security/$ISA/pam_localuser.so
account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100 quiet
account [default=bad success=ok user_unknown=ignore] /lib/security/$ISA/pam_ldap.so
account required /lib/security/$ISA/pam_permit.so
password requisite /lib/security/$ISA/pam_cracklib.so retry=3
password sufficient /lib/security/$ISA/pam_unix.so nullok use_authtok md5 shadow
password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
password required /lib/security/$ISA/pam_deny.so
session required /lib/security/$ISA/pam_limits.so
session required /lib/security/$ISA/pam_unix.so
session optional /lib/security/$ISA/pam_ldap.so
I'm going to man authconfig.# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
Looks like you have it set up to allow login to your system or applications (including dovecot) using your local UNIX system account/password OR your ldap passwd. You should be able to use either. So I would be curious if you set the user's local UNIX password (# passwd username) if they can log in. Then it's a question of setting changing their ldap password. It's very late and I have to crash but I'll dig deeper into the ldap pam module tomorrow. I've not personally used ldap for authentication directly so I would have to dig a little on the ldap module.
Found a couple of docs:
http://ldots.org/ldap/
http://imaginator.com/~simon/ldap/
http://mleahu.web.cern.ch/mleahu/doc/un ... 0Linux.htm
http://www.howtoforge.com/linux_ldap_authentication
How do your users currently change their LDAP passwords?
http://ldots.org/ldap/
http://imaginator.com/~simon/ldap/
http://mleahu.web.cern.ch/mleahu/doc/un ... 0Linux.htm
http://www.howtoforge.com/linux_ldap_authentication
How do your users currently change their LDAP passwords?
Currently they use "User Manager for Domains" which is some tool for Windows XP that does not like samba.
He can still login to the NT domain but for some reason according to PAM, which dovecot uses, his account has expired. Samba uses ldap for authentication.
Changing the password with passwd does not seem to help either. Dovecot tells the IMAP clients that the password is incorrect, and tells /var/log/messages the account has expired...
He can still login to the NT domain but for some reason according to PAM, which dovecot uses, his account has expired. Samba uses ldap for authentication.
Changing the password with passwd does not seem to help either. Dovecot tells the IMAP clients that the password is incorrect, and tells /var/log/messages the account has expired...
Code: Select all
Jun 30 12:15:00 pusa3 dovecot(pam_unix)[22296]: account master.yi has expired (account expired)
It looks like his local Linux accounts are set up for password expiration and this account's password has expired. Not the ldap account but the local /etc/passwd account. I would assume if you tried to log directly into the Linux box as that user you would not be allowed because his password has expired.
What does the output of this give you:
# passwd -S username
Have you tried resetting his local password?
# passwd username
You might also have to unlock the account:
# passwd -u username
If that indeed is what the problem is you would probably want to turn off password expiration since you are using ldap passwords. What does this user's entry look like in /etc/shadow? See this:
http://db.ilug-bom.org.in/Documentation ... rmats.html
and this:
http://tldp.org/HOWTO/Shadow-Password-HOWTO-7.html
What does the output of this give you:
# passwd -S username
Have you tried resetting his local password?
# passwd username
You might also have to unlock the account:
# passwd -u username
If that indeed is what the problem is you would probably want to turn off password expiration since you are using ldap passwords. What does this user's entry look like in /etc/shadow? See this:
http://db.ilug-bom.org.in/Documentation ... rmats.html
and this:
http://tldp.org/HOWTO/Shadow-Password-HOWTO-7.html