While diagnosing a server that I couldn’t SSH into using my LDAP account I ran into the below errors. I had seen it before but couldn’t remember what caused it:

Jul 30 22:12:57 serverhost sshd[2195]: SSH: Server;Ltype: Version;Remote: 172.17.22.10-43231;Protocol: 2.0;Client: OpenSSH_5.8p2 FreeBSD-20110503
Jul 30 22:12:57 serverhost sshd[2195]: SSH: Server;Ltype: Kex;Remote: 172.17.22.10-43231;Enc: aes128-ctr;MAC: hmac-md5;Comp: none [preauth]
Jul 30 22:12:59 serverhost sshd[2195]: SSH: Server;Ltype: Authname;Remote: 172.17.22.10-43231;Name: username [preauth]
Jul 30 21:57:33 serverhost sshd[1680]: in _openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 4
Jul 30 21:57:33 serverhost sshd[1680]: fatal: Access denied for user username by PAM account configuration [preauth]

Lots of things can cause this and googling for “_openpam_check_error_code(): pam_sm_acct_mgmt(): unexpected return value 4” brings up a few other causes but in this case the issue was the server’s hostname was set incorrectly. It was a tiny typo but it made it so the server couldn’t resolve it’s own hostname. Under NSS/PAM with FreeBSD that stopped it from being able to do LDAP lookups even when ldapsearch commands worked fine.

Hopefully this saves someone else banging their head into this!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.