SSH - Corrupt MAC on linux, but works on PuTTY!? Whaa?!

sven_sol · Last edited by sven_sol on Wed Dec 17, 2008 1:34 pm; edited 1 time in total

Hi all,

this is good... I really am confused by this.

There is a server, running SSH. I cannot connect to it either from my Mac OSX 10.5.6 or from any of my linux boxes. However, if I use PuTTY on a Windows machine it connects fine.

What I reeeaaaallllyy find odd is that the user database is in OpenLDAP, an no user that is in the LDAP i.e. an Administrator account can log on - however the root user can!

After debugging the connections it seems that the local nss cannot connect to the ldap directory due to certificates. Now, the services are all based on the LDAP - Samba, Mail etc. and they work fine.

Any ideas?!

nativemad · Posted: Wed Dec 17, 2008 1:22 pm Post subject:

Hi,

sven_sol · Posted: Wed Dec 17, 2008 1:34 pm Post subject:

you're correct: the /etc/ldap.conf points to that machine.

That machine is itself - the syslog shows "main" as the host name (because it is), but I've set the alias to svenmachine in hosts and for this.

The svenmachine has the correct host to the IP address of the interface (not 127.0.0.1) .The /etc/hosts file is correct, and pointing to the IP address of itself. Doing a "getent passwd" is fine, it enumerates the users as expected.

This is the same config as other machines I have, but this is the only showing this.

What about the errors?

nativemad · Posted: Wed Dec 17, 2008 2:01 pm Post subject:

Ok, i overlooked that TLS error...

Make sure that you have "tls_checkpeer no" in either /etc/openldap/ldap.conf and/or in /etc/ldap.conf.
Otherwise, if you use an alias-name, which isn't the name that is in the certificate, the verification will fail!
_________________
Power to the people!

sven_sol · Posted: Wed Dec 17, 2008 2:31 pm Post subject:

nope

same thing happening.

The certs are fine too.
_________________
Tua mater tam antiqua ut linguam latinam loquatur

Linux User: #405647

nativemad · Posted: Wed Dec 17, 2008 3:08 pm Post subject:

Hmm....
Do you know which servername is used in the certificate? Maybe it would be worth a try with that name as ldaps// url, or just the IP, just to get sure, that nothing else is broken...

Do the other (working) clients also use that slapd? Or do they serve their own?
Do you use client certificates?
A bit more details about your config could be helpful.... slapd and ldap/nss
_________________
Power to the people!

sven_sol · Posted: Wed Dec 17, 2008 3:51 pm Post subject:

Ok - being honest now.. I've changed a couple of the names to preserve the anonymity of my client. Forget the svenmachine - thats me hiding too much to be useful :oops:

the server name is main. The certificate is registered to main.{their.domain}co.uk

The hosts file contains:

nativemad · Posted: Thu Dec 18, 2008 7:09 am Post subject:

Are you sure that you've got exactly the same on the others? Perhaps different versions of packages could also make a diff...
The only thing which is obviously wrong is in /etc/openldap/ldap.conf the uri... shouldn't it be ldaps://...?? -but i guess (from the logs seen) that its correct...<>>> slap_listener(ldaps://)>

I would try to find out if the problem resides on slapd or pam/nss... You said that you have other (working) machines... What happens, if you point nss to another box's slapd? Or vice versa?

btw: maybe you can see more relevant debugging stuff, if you place a "-d 256" in the "OPTS" in /etc/conf.d/slapd and restart the service... (is this file correct??? -i almost forgot about it...)
_________________
Power to the people!