Karol's questions -server

Karol

Asked: 2023-10-04 05:19:50 +0800 CST

Cannot passwd for root with nslcd and openldap on Debian 12

Fresh Debian 12 for lab (VM). I installed: slapd, phpldapadmin, nslcd, nscd and dependencies. I have two local accounts: root and user1. Also I have only user1 POSIX-account on local LDAP server. I can change password for user1 by passwd. The password changes both on the LDAP server and in shadow-file. I can login as both root and user1 via ssh.

I cannot change password for root by passwd, because right after I invoke the program:

passwd: Authentication token manipulation error 
passwd: password unchanged

There is no prompt for password (current or new).

How can I change the local root password if there is no root account on the LDAP server?
Is this the correct result of passwd or some configuration error?

Here's my config:

nslcd.conf:

uid nslcd
gid nslcd
uri ldap://127.0.0.1/
base dc=debian,dc=valhalla,dc=**,dc=**
tls_cacertfile /etc/ssl/certs/ca-certificates.crt

nscd.conf:

debug-level             0
paranoia                no
enable-cache            passwd          yes
positive-time-to-live   passwd          600
negative-time-to-live   passwd          20
suggested-size          passwd          211
check-files             passwd          yes
persistent              passwd          yes
shared                  passwd          yes
max-db-size             passwd          33554432
auto-propagate          passwd          yes
enable-cache            group           yes
positive-time-to-live   group           3600
negative-time-to-live   group           60
suggested-size          group           211
check-files             group           yes
persistent              group           yes
shared                  group           yes
max-db-size             group           33554432
auto-propagate          group           yes
enable-cache            hosts           yes
positive-time-to-live   hosts           3600
negative-time-to-live   hosts           20
suggested-size          hosts           211
check-files             hosts           yes
persistent              hosts           yes
shared                  hosts           yes
max-db-size             hosts           33554432
enable-cache            services        yes
positive-time-to-live   services        28800
negative-time-to-live   services        20
suggested-size          services        211
check-files             services        yes
persistent              services        yes
shared                  services        yes
max-db-size             services        33554432
enable-cache            netgroup        yes
positive-time-to-live   netgroup        28800
negative-time-to-live   netgroup        20
suggested-size          netgroup        211
check-files             netgroup        yes
persistent              netgroup        yes
shared                  netgroup        yes
max-db-size             netgroup        33554432

nsswitch.conf:

passwd:         files ldap
group:          files ldap
shadow:         files ldap
gshadow:        files
hosts:          files dns
networks:       files
protocols:      db files
services:       db files
ethers:         db files
rpc:            db files
netgroup:       nis

common-account:

account [success=1 new_authtok_reqd=done default=ignore]        pam_unix.so
account requisite                       pam_deny.so
account required                        pam_permit.so
account [success=ok new_authtok_reqd=done ignore=ignore user_unknown=ignore authinfo_unavail=ignore default=bad]        pam_ldap.so minimum_uid=1000

common-auth:

auth    [success=2 default=ignore]      pam_unix.so nullok
auth    [success=1 default=ignore]      pam_ldap.so minimum_uid=1000 use_first_pass
auth    requisite                       pam_deny.so
auth    required                        pam_permit.so

common-password:

password        required        pam_unix.so obscure yescrypt
password        sufficient      pam_ldap.so minimum_uid=1000 try_first_pass
password        requisite                       pam_deny.so
password        required                        pam_permit.so

common-session:

session [default=1]                     pam_permit.so
session requisite                       pam_deny.so
session required                        pam_permit.so
session required        pam_unix.so
session [success=ok default=ignore]     pam_ldap.so minimum_uid=1000
session optional        pam_systemd.so

Karol

Asked: 2022-01-08 05:14:24 +0800 CST

SSH authentication: (public key xor password) + google authenticator code

I'm using Debian bullseye. I'm trying to set up SSH two types logins:

password + code from Google's Authenticator (if user set it, "nullok" option),
public key + code from Google's Authenticator (if user set it, "nullok" option).

Type #1 works for me. In type #2 I have public key + password (not public key passphrase) + code from GA. I added this line to /etc/ssh/sshd_config

AuthenticationMethods publickey,keyboard-interactive keyboard-interactive

I'd like to user won't be prompted for password if key was supplied. Precisely, how to bypass pam_unix.so demand if public key was provided?

Is there any way to accomplish what I want on one machine? Thanks in advance.

Cannot passwd for root with nslcd and openldap on Debian 12

SSH authentication: (public key xor password) + google authenticator code

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?