Solved

Users can't log on to server from telnet terminal emulator

Posted on 2006-12-01
13
348 Views
Last Modified: 2011-09-20
Hello Experts,

I am primarily a Windows administrator, but I have one Linux application server.  I am very new to Linux.

My Linux server is RH ES4.  For authentication purposes, I have configured samba and winbind to have the system emulate a server joined to my domain.  I used the procedure linked below:

http://www.enterprisenetworkingplanet.com/netos/article.php/3487081
http://www.justlinux.com/forum/showthread.php?t=118512
http://kbase.redhat.com/faq/FAQ_71_2338.shtm

now I can open a console on the server and su to a windows user.  The problem is that we use a telnet terminal emulator, and my logins (root or otherwise) are refused.

Any Ideas?
0
Comment
Question by:starmonkey
  • 7
  • 6
13 Comments
 
LVL 4

Expert Comment

by:joshmia2001
ID: 18057953
 Well, I haven't read any of the links you provided, and the answers to my questions for you could very well be in them, but I will ask them anyway...
  Ok, I read some of it and have a little better understanding of what you are trying to do..
  So here are some questions..
  Did you perform any of the tests mentioned in the documentation along the way?  These tests usually reveal a breakdown in the proccess and the problem can be worked out through these tests.
  The next question..  Can you be a little more specific in how your logins are refused?  Are you getting these messages from /var/log/messages ?  Are you getting a "Connection refused" refused error before you can even connect?
  If you are connecting, and attempting to log in and actually get a log in prompt then you are having PAM authentication problems.  Which wouldn't be all that strange considering most distros I have seen these days do not use Telnet, they use SSH by default.  So you will have to install and configure telnet from the ground up in most cases.
  So if you are seeing "Connection refused" when you try and connect to the server in question.  This wouldn't surprise me either as again most distros kill telnet by default because it's extremely insecure.
  To check to see if telnet is even installed execute ( rpm -qa | grep telnet ) you should see the telnet package pop up, if not you need to install it.  If it is, make sure it's set to start with the system..
Execute ( chkconfig --list | grep telnet ) <-- That may be for SUSE , it's been a long time since I have touched redhat, so if that fails, execute ( /etc/init.d/telnetd status )  that should come back and say "Running.. <pid>" if it doesn't it will say stopped.  If it isn't there then telnetd isn't installed correctly.
  Try posting your exact error output as anyone here guessing is useless unless they have gone through what you are going through now.

 Joshua McDowell
0
 
LVL 4

Author Comment

by:starmonkey
ID: 18058026
I performed the tests, they ran as expected.

I am getting a login propt.  The error is "Login incorrect"

I have been googling and suspect it is a PAM authentication issue.

Telnet wasn't configured as you sugested, so I configured it.  I can check the services through the GUI and can see it runnning.

I will post the logs in a bit...
0
 
LVL 4

Expert Comment

by:joshmia2001
ID: 18058067
 Again, just skimming over your documentation I see that it uses Kerberos and LDAP.  I woud have to assume then that it doesn't use pam, and if it does PAM interacts with Kerberos and LDAP in some way.  The most likley cause would be that Kerberos and or LDAP or both are unable to connect to ( I assume ) your active directory service.  On the same note, I must assume you are using LDAP to authenticate, and just running a script to keep LDAP up2date with your active directory user as last I check kerbose couldn't talk to an active directory server.  
  So you should be hitting telnet, telnet uses Kerbos to talk to ldap and then sends back a yes or a no.  You are keeping your active directory users in sync in some other way?
  The most likely scenario is that commication between Kerberos qne
0
 
LVL 4

Expert Comment

by:joshmia2001
ID: 18058075
 Ignore the last comment, mistake..

  Again, just skimming over your documentation I see that it uses Kerberos and LDAP.  I woud have to assume then that it doesn't use pam, and if it does PAM interacts with Kerberos and LDAP in some way.  The most likley cause would be that Kerberos and or LDAP or both are unable to connect to ( I assume ) your active directory service.  On the same note, I must assume you are using LDAP to authenticate, and just running a script to keep LDAP up2date with your active directory user as last I check kerbose couldn't talk to an active directory server.  
  So you should be hitting telnet, telnet uses Kerbos to talk to ldap and then sends back a yes or a no.  You are keeping your active directory users in sync in some other way?
  The most likely scenario is that commication between Kerberos and LDAP is breaking down.  Check your configs for host names vs ips.  A-lot of times someone will place a domain name in place of an IP and it doesn't resolve because there is no real dns server that resolvs internal host names..  
 Just some suggestions..  
  Post your ldap config and you telnet config if you could.

Joshua McDowell
0
 
LVL 4

Author Comment

by:starmonkey
ID: 18058167
I can querry AD from the linux box, I just can't log in through telnet with an AD account.  I can log into the console as root, and sucessfully su to an AD user account.  Doesn't this mean keberos is sucsessfully talking to AD via LDAP?

could you tell me the path to the configs you are asking for?  I also do not know which logs in /var/log I should be looking at.

0
 
LVL 4

Author Comment

by:starmonkey
ID: 18058196
This may help:  I am trying to log in with ssh using putty.
I can login as root fine, but I get an "access denied" with the AD user
once again, once I get in as root, I can su - to the AD user
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 4

Accepted Solution

by:
joshmia2001 earned 500 total points
ID: 18059136
So it's been a long time since I have used redhat, so I can try and point you in the right direction for config file.
  Go to your /etc dir and execute the following commands.
find . -name "sshd*
find . -name "telnet*"
find . -name "ldap*"

 That should reveal where everything is at in regard to configs.
Ssh should be /etc/ssh/sshd_config
and telnet should be like sshd accept telnetd..  Again those commands should reveal their locations.
  The log files you want look at..
/var/log/messages
/var/log/secure
/var/log/dmesg
  Any of those 3 log files could have information you need.  If you are the console you can hit ctrl-alt-f7 to get out of X without killing it.  Then hit alt-f9 or alt-f12  One of those should give you the "live" version of the log files screen where you can actually watch real time what happens when you are trying to log in.
  Another way is to log into a shell through X or just the terminal..  execute tail -f -n 30 /var/log/messages and then try and log in.  Again you should see real time the failures that occur when you try and log in.

 Joshua McDowell
0
 
LVL 4

Author Comment

by:starmonkey
ID: 18064069
/var/log/dmesg does not exist.

results below for the other 2: Windows User "ITAdmin" logging into LinuxSrvNm via ssh (putty) from WindosWkstnNm (192.168.0.50) on domain.com:
/var/log/messages
Dec  3 10:39:42 LinuxSrvNm sshd(pam_unix)[6252]: authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=WindosWkstnNm.domain.com  user=ITAdmin
/var/log/secure
Dec  3 10:48:10 LinuxSrvNm sshd[6297]: Failed password for ITAdmin from ::ffff:192.168.0.50 port 2093 ssh2

Kerberos problem?  All the tests came out OK.
0
 
LVL 4

Expert Comment

by:joshmia2001
ID: 18064089
 Well, I beleive you said you could log in locally?  This would seem to point to an SSH config problem.  Could you post your sshd config file?  Ssh uses it's own login stuff.


 Joshua
0
 
LVL 4

Author Comment

by:starmonkey
ID: 18070082
Actually, I can only log on the console as root.  I can't log in with an AD account.

Below is sshd_config (comments removed):

SyslogFacility AUTHPRIV
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
X11Forwarding yes
Subsystem
0
 
LVL 4

Expert Comment

by:joshmia2001
ID: 18070108
 I will read more of your documentation that you used.  I am willing to bet you either have to have the same unix user, or you just need a one line config change somehwere.  I don't think it would be in sshd_config anymore though.  It would be in pamd.conf or something of the like.  I will get back to you as soon as I can.

Joshua
0
 
LVL 4

Author Comment

by:starmonkey
ID: 18070478
Thank you.
I re-read my ealrier post about logging in locally;  I'll clarify:

I can log in locally as root.  Open a console (as root) then use the command:

su - <AD Domain account>

this switches the console session to the AD user as expected.  Likewise, I can ssh as root and use su - <AD Domain account> and "become" the user.

The reason that seems important is I am never prompted for a password with su (because I am root?  I just don't know linux security that well).  The point is that it is the password authentication that is failing.

The good news is that the box is set up to run with a AD user (because I can su to that user); I just can't quite authenticate.

I know this can be done without having to have the same user on the linux box (or so I have read), and I think you are right in that it is probably one or 2 lines somewhere.
0
 
LVL 4

Author Comment

by:starmonkey
ID: 18072872
Finally!

I backed up my config files and ran authconfig and set winbind authentication, now everything works.

I'm awarding the points to you for getting me going in the right direction.  Thanks!
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This article will explain how to establish a SSH connection to Ubuntu through the firewall and using a different port other then 22. I have set up a Ubuntu virtual machine in Virtualbox and I am running a Windows 7 workstation. From the Ubuntu vi…
You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now