local FTP users dont work but AD auth'd FTP users do ?

Posted on 2011-04-28
Last Modified: 2012-06-27
When i try to use a local RedHat linux account on the server to FTP, I am getting this error::

request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER

AD windbind users work just fine...

PLEASE HELP pleeeease thx so much
Question by:jandersonwidener

    Author Comment

    I verified my local user by

    first creating a brand new account
    adduser -c -m testaccount

    # su - testaccount
    $ whoami
    $ pwd

    then did a passwd on it just to be sure I have the right password...

    passwd testaccount
    changed succesfully

    then did a chmod -R /home/testaccount

    and it still doesnt work ?

    Ive found documentation to tinker with
    /etc/pam.d/system-auth  but I didnt really wanna mess with that since I wasnt masterful of it
    please help

    Author Comment

    vi /etc/group seems to list them fine at the bottom of the list in thier independent isolated user group


    this is outside the usergroup Ive configured for remote AD winind authentication that still does work thanks goodness...


    LVL 19

    Expert Comment

    which FTP server are you using?

    you can tell vsftp to authorize LDAP users while disallowing local users.

    that should be configured at the ftp server not on PAM

    Author Comment

    I want most all to auth thru AD... but there are some that still need to auth locally...
    maybe thats not thru vsftp ... not sure what to check
    I need testaccount to auth locally not thru AD
    thoughts ?

    >>which FTP server are you using?
    not sure what you mean .. the end user ftp client software ?
    server side I think vsftp (that service IS running) but how to I tell for sure...

    LVL 19

    Accepted Solution

    to see the ftp server you are running, log in as root preferably to your linux server, and then issue this command:

    ps -eF | grep -v grep | grep ftp

    and post the result here please

    Author Comment

    I got this back

    /usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

    so PAM isnt the problem then since AD users are working... I dont want to touch it in fear those user's authentication would break.

    so now turning solely to vsftp  but what to look for in my RHEL 5 System ?
    LVL 19

    Assisted Solution

    Two files need to be modified.

    First on /etc/vsftpd.conf
       uncomment or add this line
       # Uncomment this to allow local users to log in.

    Second on /etc/pam.d/vsftpd
       the file should look like:
       session    optional    force revoke
       auth       required item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
       auth       required
       auth       include      system-auth
       account    include      system-auth
       session    include      system-auth
       session    required

    Backup your files before any modification. then if you want check your files agains this and post them here

    Author Comment

    all those settings read exactly the way you have them uncommented and in order line by line ...

    was ok before I saw it worked like last month not sure what changed :(


    Author Comment

    I tried rebuilding the accounts and nothing seems to work...
    traversing logs next for specific error code :(
    LVL 19

    Assisted Solution

    Ok that information is something we needed to know.

    the log should be located at /var/log/vsftpd.log

    could you restart the service, try to log-in and then post the resultant log here?

    Author Comment

    >>could you restart the service
    figuring you mean service restart xinetd

    May  4 09:30:18 muse passwd: pam_unix(passwd:chauthtok): unrecognized option [use_authok]
    May  4 09:30:18 muse passwd: pam_unix(passwd:chauthtok): unrecognized option [use_authok]
    May  4 09:30:29 muse passwd: pam_unix(passwd:chauthtok): password changed for teamb
    May  4 09:30:57 muse vsftpd: pam_listfile(vsftpd:auth): Refused user teamb for service vsftpd
    May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000010)
    May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): pam_get_item returned a password
    May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER

    Assisted Solution

    ok I got it ! It IS a PAM thing...

    By default, all users on AD will have access to the system if I set this and I thought this was ONLY for remote administration but I had it restricted for local users too!  This should be turned off:
    a.      Create a group (/etc/group) which will contain all the users allowed to log in.
    b.      vi /etc/ and add each distinct group created for authentication

    EX to be designed and writ into .allowed and specified in /etc/group :

    so now that 2 segmented groups are represented in the PAM allowed config, just make sure each username is in appropriate group then chgrp -R apache <username>
    ... Im guessing apache cause they are local driven users
    and they work now...


    Author Comment

    thx for all the exercise Redimodo of going through the steps...

    Author Closing Comment

    I am giving myself 1/4 answer I deduced it IS about PAM in contrast to Ridimodo's initial posted statement

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    Join & Write a Comment

    Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
    This story has been written with permission from the scammed victim, a valued client of mine – identity protected by request.
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now