• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1429
  • Last Modified:

local FTP users dont work but AD auth'd FTP users do ?

When i try to use a local RedHat linux account on the server to FTP, I am getting this error::

request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER

AD windbind users work just fine...

PLEASE HELP pleeeease thx so much
0
JAaron Anderson
Asked:
JAaron Anderson
  • 10
  • 4
4 Solutions
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I verified my local user by

first creating a brand new account
adduser -c -m testaccount

# su - testaccount
$ whoami
testaccount
$ pwd
/home/testaccount

then did a passwd on it just to be sure I have the right password...

passwd testaccount
changed succesfully

then did a chmod -R /home/testaccount

and it still doesnt work ?




Ive found documentation to tinker with
/etc/pam.d/system-auth  but I didnt really wanna mess with that since I wasnt masterful of it
please help
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
vi /etc/group seems to list them fine at the bottom of the list in thier independent isolated user group

testaccount:x:523:


this is outside the usergroup Ive configured for remote AD winind authentication that still does work thanks goodness...

thoughts?

thanks!
0
 
Gabriel OrozcoSolution ArchitectCommented:
which FTP server are you using?

you can tell vsftp to authorize LDAP users while disallowing local users.

that should be configured at the ftp server not on PAM
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I want most all to auth thru AD... but there are some that still need to auth locally...
maybe thats not thru vsftp ... not sure what to check
I need testaccount to auth locally not thru AD
thoughts ?

>>which FTP server are you using?
not sure what you mean .. the end user ftp client software ?
server side I think vsftp (that service IS running) but how to I tell for sure...

thanks
0
 
Gabriel OrozcoSolution ArchitectCommented:
to see the ftp server you are running, log in as root preferably to your linux server, and then issue this command:

ps -eF | grep -v grep | grep ftp


and post the result here please
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I got this back

/usr/sbin/vsftpd /etc/vsftpd/vsftpd.conf

ok...
so PAM isnt the problem then since AD users are working... I dont want to touch it in fear those user's authentication would break.

so now turning solely to vsftp  but what to look for in my RHEL 5 System ?
0
 
Gabriel OrozcoSolution ArchitectCommented:
Two files need to be modified.

First on /etc/vsftpd.conf
   uncomment or add this line
   
   # Uncomment this to allow local users to log in.
   local_enable=YES

Second on /etc/pam.d/vsftpd
   the file should look like:
   #%PAM-1.0
   session    optional     pam_keyinit.so    force revoke
   auth       required     pam_listfile.so item=user sense=deny file=/etc/vsftpd/ftpusers onerr=succeed
   auth       required     pam_shells.so
   auth       include      system-auth
   account    include      system-auth
   session    include      system-auth
   session    required     pam_loginuid.so

Backup your files before any modification. then if you want check your files agains this and post them here
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
all those settings read exactly the way you have them uncommented and in order line by line ...

was ok before I saw it worked like last month not sure what changed :(

0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I tried rebuilding the accounts and nothing seems to work...
traversing logs next for specific error code :(
0
 
Gabriel OrozcoSolution ArchitectCommented:
Ok that information is something we needed to know.

the log should be located at /var/log/vsftpd.log

could you restart the service, try to log-in and then post the resultant log here?
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
>>could you restart the service
figuring you mean service restart xinetd

May  4 09:30:18 muse passwd: pam_unix(passwd:chauthtok): unrecognized option [use_authok]
May  4 09:30:18 muse passwd: pam_unix(passwd:chauthtok): unrecognized option [use_authok]
May  4 09:30:29 muse passwd: pam_unix(passwd:chauthtok): password changed for teamb
May  4 09:30:57 muse vsftpd: pam_listfile(vsftpd:auth): Refused user teamb for service vsftpd
May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): getting password (0x00000010)
May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): pam_get_item returned a password
May  4 09:30:57 muse vsftpd: pam_winbind(vsftpd:auth): request failed: No such user, PAM error was User not known to the underlying authentication module (10), NT error was NT_STATUS_NO_SUCH_USER
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
ok I got it ! It IS a PAM thing...

By default, all users on AD will have access to the system if I set this and I thought this was ONLY for remote administration but I had it restricted for local users too!  This should be turned off:
a.      Create a group (/etc/group) which will contain all the users allowed to log in.
b.      vi /etc/login.group.allowed and add each distinct group created for authentication

EX to be designed and writ into .allowed and specified in /etc/group :
localusers
adauthusers


so now that 2 segmented groups are represented in the PAM allowed config, just make sure each username is in appropriate group then chgrp -R apache <username>
... Im guessing apache cause they are local driven users
and they work now...

0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
thx for all the exercise Redimodo of going through the steps...
0
 
JAaron AndersonProgramming Architect @ Widener UniversityAuthor Commented:
I am giving myself 1/4 answer I deduced it IS about PAM in contrast to Ridimodo's initial posted statement
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 10
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now