Sudo asks for password twice with LDAP authentication
Solution 1
in PAM there is an option called "use_first_pass" :
auth sufficient pam_ldap.so use_first_pass
try enabling it for ldap, should fix your issue
Solution 2
Try to change this line:
auth sufficient pam_winbind.so
to
auth sufficient pam_winbind.so try_first_pass
Solution 3
I have the same problem and removing:
auth sufficient pam_unix.so nullok
from /etc/pam.d/common-auth and adding:
auth sufficient pam_ldap.so use_first_pass
solved the problem :-).
Related videos on Youtube
Gnudiff
Have seen IT from majority of sides for the past 20+ years: sysadmin, IT project manager, programmer, Head of IT.
Updated on September 17, 2022Comments
-
Gnudiff over 1 year
I have Ubuntu 8.04 LTS machine and Windows 2003 AD domain.
I have succesfully set up that I can log in with domain username and password, using domain prefix, like "domain+username".
Upon login to machine it all works first try, however, for some reason when I try to sudo my logged in user, it asks for the password twice every time when I try sudo. It accepts the password after 2nd time, but not the first time.
Once or twice I might think I just keep entering wrong pass the first time, but this is what happens always, any ideas of what's wrong?
pam.conf is empty pam.d/sudo only includes common-auth & common-account, and
common-auth is:
auth sufficient pam_unix.so nullok_secure auth sufficient pam_winbind.so auth requisite pam_deny.so auth required pam_permit.so
-
Admin over 13 yearsnote, that according to Samba documentation there are two similar options, which appear to do DIFFERENT things: use_first_pass Do not prompt the user for passwords; take them from PAM_ items instead. try_first_pass Try to get the password from a previous PAM module; fall back to prompting the user.
-
-
Gnudiff over 13 yearsit appears that use_first_pass does something different? should it be try_first_pass?
-
hellomynameisjoel over 13 yearstry_first_pass means try the password, and prompt if it fails. use_first_pass is more appropriate here. bugs.debian.org/cgi-bin/bugreport.cgi?bug=490210