SSH login is failing with nss_ldap 265 with error fatal: login_get_lastlog: Cannot find account for uid

Asked by Ramu on 2018-03-12

When trying to login using ssh, the following error message is logged in /var/log/auth.log "fatal: login_get_lastlog: Cannot find account for uid" and the session is immediately terminated from Server.

On the same machine when using nslcd, the SSH login is succesful.

Please let me know if any more details are required.

Question information

English Edit question
Ubuntu libnss-ldap Edit question
No assignee Edit question
Last query:
Last reply:

How did you configure the LDAP?

Ramu (ramug) said : #2

While installing the libnss-ldap, the appropriate ldap settings are configured which I could see in /etc/ldap.conf

I am using ssl based communication. So I opened the /etc/ldap.conf in vi editor and configured additional settings as below
ssl on
tls_reqcert allow
tls_cacertfile /abc.crt
tls_cacertdir /

I updated the nsswitch.conf file to look in ldap as well
passwd: compat ldap
group: compat ldap
shadow: compat ldap

I could retrieve the user account details using getent command

getent passwd admin101

I could successfully connect using winSCP (SFTP) also.

But when tried to login using ssh, it is failing with the message "Server unexpectedly closed network connection"

Ramu (ramug) said : #3

I missed another piece of information.

I configured bind policy to soft. And from the logs, it is inferred that it is failing because of not able to reach LDAP Server.

When I configured it to hard, it is retrying and then successfully able to login via SSH.

But now, the question is why the LDAP Server is not reachable.

getent calls and also during the initial SSH login process, LDAP Server is reachable and the nss looksup are successful. But only while set login id (not sure) or at some stage in the SSH login process, it is consistently failing because of not able to reach LDAP Server and throwing above error message in the logs. "fatal: login_get_lastlog: Cannot find account for uid"

Any directions on what calls during SSH login process trigger nss lookups?

We join our servers to Windows domains using the below:

sudo apt install krb5-user samba sssd

Open the Kerberos config file
 sudo vim /etc/krb5.conf

Under default_realm add the following two settings
 ticket_lifetime = 24h
 renew_lifetime = 7d

Edit the samba configuration file
 sudo vim /etc/samba/smb.conf

Comment out the line following line in the [global] section
 workgroup = WORKGROUP

Add the following lines beneath it. Note that the workgroup is the domain name in uppercase (e.g., CONTOSO) and not the FQDN (e.g., CONTOSO.PRIVATE).
 client signing = yes
 client use spnego = yes
 kerberos method = secrets and keytab
 security = ads
 disable netbios = yes

Create the SSSD configuration file
 sudo mkdir /etc/sssd
 sudo vim /etc/sssd/sssd.conf

Enter the following lines with the settings in red needing to be defined for the domain to be joined to.

 domains = domainfqdn
 config_file_version = 2
 services = nss, pam, ssh, sudo

 id_provider = ad
 access_provider = ad
 cache_credentials = True
 use_fully_qualified_names = false
 ad_gpo_access_control = permissive
 default_shell = /bin/bash
 override_homedir = /home/%d/%u
 dyndns_update = true
 dyndns_refresh_interval = 43200
 dyndns_update_ptr = true
 dyndns_ttl = 3600

Save the file
Change the permissions of sssd.conf
 sudo chown root:root /etc/sssd/sssd.conf
 sudo chmod 600 /etc/sssd/sssd.conf

Confirm that SSS had been added as an identity provider
 grep 'sss' /etc/nsswitch.conf

Should output:
 passwd: compat sss
 group: compat sss
 shadow: compat sss
 services: db files sss
 netgroup: nis sss
 sudoers: files ssss

Restart services
 sudo systemctl restart smbd nmbd

Test & Join
 Test the configuration by obtaining a Kerberos ticket. You will be prompted to enter your password.
 sudo kinit youradusername

Verify the ticket
 sudo klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: <email address hidden>

Valid starting Expires Service principal
14/11/16 18:04:02 15/11/16 04:04:02 <email address hidden>
        renew until 15/11/16 18:03:58

Join the domain. Note that it may take several minutes to complete even after the joined message has appeared.
 sudo net ads join -k

Using short domain name -- CONTOSO
Joined 'HOSTNAME' to dns domain 'contoso.private'

Before you can log in with your domain account, you will need to update PAM to include SSS as an authentication method and then reapply some of the hardening steps regarding local password policies.

Launch the auth config tool
 sudo pam-auth-update --force

Deselect “Pwquality password strength checking”, select “Cracklib password strength checking”, and select “Create home directory on login”

Reboot the server

Can you help with this problem?

Provide an answer of your own, or ask Ramu for more information if necessary.

To post a message you must log in.