https://sourceforge.net/p/webadmin/discussion/55378/thread/ef1aaab62d/Recent posts to WEBMIN LDAP authentication: passwd returns "Authentication token manipulation error"enWed, 08 Feb 2023 15:18:02 -0000https://sourceforge.net/p/webadmin/discussion/55378/thread/ef1aaab62d/?limit=25#1a61<div class="markdown_content"><p>Incase anyone runs into the same problem I resolved this by install the following module and updating my webmin pam configuration.yum install perl-Authen-PAM</p> <p>auth       required     pam_env.so<br/> auth       sufficient   pam_unix.so likeauth nullok<br/> auth       sufficient   pam_ldap.so use_first_pass<br/> auth       required     pam_deny.so</p> <p>account   sufficient   pam_unix.so<br/> account   sufficient   pam_ldap.so<br/> account   required     pam_ldap.so</p> <p>password   required     pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3<br/> password   sufficient   pam_unix.so nullok md5 shadow use_authtok<br/> password   sufficient   pam_ldap.so use_first_pass<br/> password   required     pam_deny.so</p></div>raulWed, 08 Feb 2023 15:18:02 -0000https://sourceforge.neted47b0e9c226a91469efac83c4ab14754bca06e2https://sourceforge.net/p/webadmin/discussion/55378/thread/ef1aaab62d/?limit=25#1fb8<div class="markdown_content"><p>Update:jan 25 2023<br/> I believe I have sssd and nslcd working properly I also adjusted the pam modules in webmin. I also added db to nsswitch.conf so I checks there first. As of right now I can use things like ldapsearch -x -D cn=bindadmin,ou=People,dc=xxx,dc=com -W to query my db full of user succesfully I can also passwd $USER succesfully and log in with the new password using su -l $USER the only remaining problem I'm having is allowing the user to log into webmin I was hoping since the client is working and passwd changing works it would allow me to log in but when I attempt to change the converted webmin users acl for webmin log in I get the following error in /var/webmin/miniserv.error and this seems to be the only log error msg I get which is preventing my webmin users from logging in. Any thoughts?</p> <p>Argument "" isn't numeric in numeric ne (!=) at /usr/libexec/webmin/acl/save_unix.cgi line 80.<br/> <span>[25/Jan/2023:11:01:59 -0500]</span> Reloading configuration</p></div>raulWed, 25 Jan 2023 16:11:56 -0000https://sourceforge.net565de20579a1a84e803f80f7a1f0f0eb6e83f4bbhttps://sourceforge.net/p/webadmin/discussion/55378/thread/ef1aaab62d/?limit=25#f254<div class="markdown_content"><p>Update:jan 25 2023<br/> I believe I have sssd and nslcd working properly I also adjusted the pam modules in webmin. I also added db to nsswitch.conf so I checks there first. As of right now I can use things like ldapsearch -x -D cn=bindadmin,ou=People,dc=xxx,dc=com -W to query my db full of user succesfully I can also passwd $USER succesfully and log in with the new password using su -l $USER the only remaining problem I'm having is allowing the user to log into webmin I was hoping since the client is working and passwd changing works it would allow me to log in but when I attempt to change the converted webmin users acl for webmin log in I get the following error in /var/webmin/miniserv.error and this seems to be the only log error msg I get which is preventing my webmin users from logging in. Any thoughts?</p> <p>Argument "" isn't numeric in numeric ne (!=) at /usr/libexec/webmin/acl/save_unix.cgi line 80.<br/> <span>[25/Jan/2023:11:01:59 -0500]</span> Reloading configuration</p></div>raulWed, 25 Jan 2023 16:11:49 -0000https://sourceforge.net011146b1828d1cd95e164d70682202a1db4b8859https://sourceforge.net/p/webadmin/discussion/55378/thread/ef1aaab62d/?limit=25#d71a<div class="markdown_content"><p>Hello,</p> <p>I'm trying to setup ldap authentication for unix users to log in and I'm getting the token error. I have ldap users and groups working and I've converted all the unix users to webmin users but I cant get the users to log in or change password with passwd. I configured and enabled sssd.conf but I believe the issue may have to do with PAM files which I have limited experience with any help would be appreciated I'll add a few of the PAM configs along with the sssd.conf below. Let me know if you need anything else to help trouble shoot this thank you.</p> <p>I also cant use anything like ldapmodify or ldapsearch which is because of a misconfigured ldap-client not reaching the server I presume? When I configure ldap-client on webmin with the nslcd.conf file and I use the validate button it returns the following but it doesnt give me the option to run/start the client as it had prior now it only gives me the validate configuration option and both start ldap-client alongside could this be why its not connecting properly?</p> <p>error msg when I try ldap search<br/> SASL/GSS-SPNEGO authentication started<br/> ldap_sasl_interactive_bind_s: Local error (-2)<br/> additional info: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (SPNEGO cannot find mechanisms to negotiate)</p> <p>Finding LDAP base for users ..<br/> .. found base dc=xxxx,dc=com.<br/> Connecting to LDAP server ..<br/> .. connected to ldap-primary.ue1.-prod.com</p> <p>Searching for users ..<br/> .. found 507 users.</p> <p>Checking Unix users service ..<br/> .. service is setup to query LDAP.</p> <p>Looking for Unix user bjones ..<br/> .. user found successfully.</p> <p>Your system has been successfully configured as an LDAP client!</p> <p>Expectations:<br/> LDAP users and groups functionality working <span>[complete]</span><br/> converted unix webmin users log in functionality working <span>[not working]</span></p> <p>The following commands works<br/> id tuser<br/> uid=6469(tuser) gid=6250(gwtest) groups=6250(gwtest),9003(git),9001(softeng)</p> <p>getent passwd tuser<br/> tuser:*:6469:6250:test user:/home/tuser:/bin/bash</p> <p>log msg when I try "passwd tuser"<br/> passwd: pam_unix(passwd:chauthtok): user "tuser" does not exist in /etc/passwd<br/> passwd: pam_sss(passwd:chauthtok): Authentication failed for user tuser: 4 (System error)</p> <p>log msg when converted webmin users attempts to log in<br/> pam_unix(webmin:auth): authentication failure; logname= uid=0 euid=0 tty=10000 ruser= rhost=xxx user=xxx<br/> webmin<span>[8072]</span>: Invalid login as xxxx from xxxx</p> <p>passwdauth:</p> <h1 id="pam-10">%PAM-1.0</h1> <h1 id="this-file-is-auto-generated">This file is auto-generated.</h1> <h1 id="user-changes-will-be-destroyed-the-next-time-authconfig-is-run">User changes will be destroyed the next time authconfig is run.</h1> <p>auth required pam_env.so<br/> auth required pam_faildelay.so delay=2000000<br/> auth <span>[default=1 ignore=ignore success=ok]</span> pam_succeed_if.so uid &gt;= 1000 quiet<br/> auth <span>[default=1 ignore=ignore success=ok]</span> pam_localuser.so<br/> auth sufficient pam_unix.so nullok try_first_pass<br/> auth requisite pam_succeed_if.so uid &gt;= 1000 quiet_success<br/> auth sufficient pam_sss.so forward_pass<br/> auth required pam_deny.so</p> <p>account required pam_unix.so broken_shadow<br/> account sufficient pam_localuser.so<br/> account sufficient pam_succeed_if.so uid &lt; 1000 quiet<br/> account <span>[default=bad success=ok user_unknown=ignore]</span> pam_sss.so<br/> account required pam_permit.so</p> <p>password requisite pam_pwquality.so try_first_pass local_users_only retry=3<br/> password sufficient pam_unix.so sha512 shadow nullok try_first_pass<br/> password sufficient pam_sss.so</p> <p>password required pam_deny.so</p> <p>session optional pam_keyinit.so revoke<br/> session required pam_limits.so<br/> -session optional pam_systemd.so<br/> session optional pam_mkhomedir.so umask=0077<br/> session <span>[success=1 default=ignore]</span> pam_succeed_if.so service in crond quiet use_uid<br/> session required pam_unix.so<br/> session optional pam_sss.so</p> <p>passwd</p> <h1 id="pam-10_1">%PAM-1.0</h1> <p>auth include system-auth<br/> account include system-auth<br/> password substack system-auth<br/> -password optional pam_gnome_keyring.so<br/> password substack postlogin</p> <p>webmin</p> <h1 id="pam-10_2">%PAM-1.0</h1> <p>auth sufficient pam_ldap.so<br/> auth required pam_unix.so nullok<br/> account sufficient pam_ldap.so<br/> account required pam_unix.so<br/> session sufficient pam_ldap.so<br/> session required pam_unix.so</p> <p>system-auth</p> <h1 id="pam-10_3">%PAM-1.0</h1> <h1 id="this-file-is-auto-generated_1">This file is auto-generated.</h1> <h1 id="user-changes-will-be-destroyed-the-next-time-authconfig-is-run_1">User changes will be destroyed the next time authconfig is run.</h1> <p>auth required pam_env.so<br/> auth required pam_faildelay.so delay=2000000<br/> auth <span>[default=1 ignore=ignore success=ok]</span> pam_succeed_if.so uid &gt;= 1000 quiet<br/> auth <span>[default=1 ignore=ignore success=ok]</span> pam_localuser.so<br/> auth sufficient pam_unix.so nullok try_first_pass<br/> auth requisite pam_succeed_if.so uid &gt;= 1000 quiet_success<br/> auth sufficient pam_sss.so forward_pass<br/> auth required pam_deny.so</p> <p>account required pam_unix.so<br/> account sufficient pam_localuser.so<br/> account sufficient pam_succeed_if.so uid &lt; 1000 quiet<br/> account <span>[default=bad success=ok user_unknown=ignore]</span> pam_sss.so<br/> account required pam_permit.so</p> <p>password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=<br/> password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok<br/> password sufficient pam_sss.so use_authtok<br/> password required pam_deny.so</p> <p>session optional pam_keyinit.so revoke<br/> session required pam_limits.so<br/> -session optional pam_systemd.so<br/> session optional pam_mkhomedir.so umask=0077<br/> session <span>[success=1 default=ignore]</span> pam_succeed_if.so service in crond quiet use_uid<br/> session required pam_unix.so<br/> session optional pam_sss.so</p> <p>sssd.conf<br/> <span>[sssd]</span><br/> config_file_version = 2<br/> services = nss, pam, ssh<br/> reconnection_retries = 3<br/> domains = xxxx</p> <p><span>[nss]</span><br/> filter_groups = root<br/> filter_users = root,named,nscd</p> <p>[</p> <p><span>[domain/xxx]</span><br/> access_provider = ldap<br/> auth_provider = ldap<br/> cache_credentials = true<br/> chpass_provider = none<br/> debug_level = 3<br/> entry_cache_timeout = 300<br/> enum_cache_timeout = 300<br/> enumerate = true<br/> id_provider = ldap<br/> ldap_access_order = expire<br/> ldap_account_expire_policy = shadow<br/> ldap_default_authtok_type = password<br/> ldap_default_authtok = xxxx</p> <p>ldap_default_bind_dn = cn=bindadmin-sssd,ou=People,dc=xxxx,dc=com<br/> ldap_enumeration_refresh_timeout = 300<br/> ldap_group_member = memberUid<br/> ldap_group_name = cn<br/> ldap_group_object_class = posixGroup<br/> ldap_group_search_base = ou=Groups,dc=xxxx,dc=com<br/> ldap_id_use_start_tls = false<br/> ldap_network_timeout = 3<br/> ldap_pwd_policy = shadow<br/> ldap_schema = rfc2307<br/> ldap_search_base = dc=xxx,dc=com<br/> ldap_tls_cacertdir = /etc/openldap/cacerts<br/> ldap_tls_reqcert = never<br/> ldap_uri = ldaps://ldap-01.ue1-prod.com<br/> ldap_user_name = uid<br/> ldap_user_object_class = posixAccount<br/> ldap_user_search_base = ou=People,dc=xxxx,dc=com<br/> ldap_user_shadow_expire = shadowExpire<br/> shell_fallback = /bin/bash</p></div>raul mendesFri, 13 Jan 2023 19:33:52 -0000https://sourceforge.net90d341df46b592702819d6297f0cfc3647711ebb