• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1349
  • Last Modified:

local FTP users dont work but AD auth'd FTP users do ?

When i try to use a local RedHat linux account on the server to FTP, I am getting this error::

request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER

AD windbind users work just fine...

PLEASE HELP pleeeease thx so much
0
JAaron Anderson
Asked:
JAaron Anderson
  • 10
  • 4
4 Solutions
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I verified my local user by

first creating a brand new account
adduser -c -m testaccount

# su - testaccount
$ whoami
testaccount
$ pwd
/home/testaccount

then did a passwd on it just to be sure I have the right password...

passwd testaccount
changed succesfully

then did a chmod -R /home/testaccount

and it still doesnt work ?




Ive found documentation to tinker with
/etc/pam.d/system-auth  but I didnt really wanna mess with that since I wasnt masterful of it
please help
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
vi /etc/group seems to list them fine at the bottom of the list in thier independent isolated user group

testaccount:x:523:


this is outside the usergroup Ive configured for remote AD winind authentication that still does work thanks goodness...

thoughts?

thanks!
0
 
Gabriel OrozcoSolution ArchitectCommented:
which FTP server are you using?

you can tell vsftp to authorize LDAP users while disallowing local users.

that should be configured at the ftp server not on PAM
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I want most all to auth thru AD... but there are some that still need to auth locally...
maybe thats not thru vsftp ... not sure what to check
I need testaccount to auth locally not thru AD
thoughts ?

>>which FTP server are you using?
not sure what you mean .. the end user ftp client software ?
server side I think vsftp (that service IS running) but how to I tell for sure...

thanks
0
 
Gabriel OrozcoSolution ArchitectCommented:
to see the ftp server you are running, log in as root preferably to your linux server, and then issue this command:

ps -eF | grep -v grep | grep ftp


and post the result here please
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I got this back

/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

ok...
so PAM isnt the problem then since AD users are working... I dont want to touch it in fear those user's authentication would break.

so now turning solely to vsftp  but what to look for in my RHEL 5 System ?
0
 
Gabriel OrozcoSolution ArchitectCommented:
Two files need to be modified.

First on /etc/vsftpd.conf
   uncomment or add this line
   
   # Uncomment this to allow local users to log in.
   local_enable=YES

Second on /etc/pam.d/vsftpd
   the file should look like:
   #%PAM-1.0
   session    optional     pam_keyinit.so    force revoke
   auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
   auth       required     pam_shells.so
   auth       include      system-auth
   account    include      system-auth
   session    include      system-auth
   session    required     pam_loginuid.so

Backup your files before any modification. then if you want check your files agains this and post them here
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
all those settings read exactly the way you have them uncommented and in order line by line ...

was ok before I saw it worked like last month not sure what changed :(

0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I tried rebuilding the accounts and nothing seems to work...
traversing logs next for specific error code :(
0
 
Gabriel OrozcoSolution ArchitectCommented:
Ok that information is something we needed to know.

the log should be located at /var/log/vsftpd.log

could you restart the service, try to log-in and then post the resultant log here?
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>could you restart the service
figuring you mean service restart xinetd

May  4 09:30:18 muse passwd: pam_unix(passwd:chauthtok): unrecognized option [use_authok]
May  4 09:30:18 muse passwd: pam_unix(passwd:chauthtok): unrecognized option [use_authok]
May  4 09:30:29 muse passwd: pam_unix(passwd:chauthtok): password changed for teamb
May  4 09:30:57 muse vsftpd: pam_listfile(vsftpd:auth): Refused user teamb for service vsftpd
May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000010)
May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): pam_get_item returned a password
May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
ok I got it ! It IS a PAM thing...

By default, all users on AD will have access to the system if I set this and I thought this was ONLY for remote administration but I had it restricted for local users too!  This should be turned off:
a.      Create a group (/etc/group) which will contain all the users allowed to log in.
b.      vi /etc/login.group.allowed and add each distinct group created for authentication

EX to be designed and writ into .allowed and specified in /etc/group :
localusers
adauthusers


so now that 2 segmented groups are represented in the PAM allowed config, just make sure each username is in appropriate group then chgrp -R apache <username>
... Im guessing apache cause they are local driven users
and they work now...

0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
thx for all the exercise Redimodo of going through the steps...
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I am giving myself 1/4 answer I deduced it IS about PAM in contrast to Ridimodo's initial posted statement
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

  • 10
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now