SOLVED: I added ldapns.schema to enable host based authentication and the users before the schema upgrade caused this caching to stop. I added a new user after the schema upgrade and all is well.
On Fri, Dec 3, 2010 at 12:58 PM, Anton Chu anton.chu@telecommand.comwrote:
Here's the latest as to why I cannot ID my ldap user. I set up hostObject attribute in my ldap server to enable host based authentication. I then added the following in /etc/ldap.conf
On the client side, simply modify /etc/pam_ldap.conf to include these lines:
pam_check_host_attr yes pam_filter |(host=client_hostname)(host=*)
I've added the host attribute to all my ldap users to login certain hosts. That's when I cannot id my ldap users.
Somehow pam is not allowing caching when this host based authentication is turned on.
On Thu, Dec 2, 2010 at 2:26 PM, Anton Chu anton.chu@telecommand.comwrote:
NSCD daemon is the culprit. Here's the error when I do id tony:
[CODE] nscd -d Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony) Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password cache! Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password cache! Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony" Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file:
[CODE] cat /etc/nscd.conf | grep -v ^# | grep -v ^$ debug-level 0 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts no positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432
[/CODE]
On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu anton.chu@telecommand.comwrote:
On another machine, tried this howto after purging the above above packages.
http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
sudo apt-get install libnss-ldapd libpam-ldapd
Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.
here's my /etc/ldap.conf
cat /etc/ldap.conf | grep -v ^# | grep -v ^$ base dc=example,dc=com uri ldap://10.112.18.2 ldap_version 3 bindpw secret rootbinddn cn=admin,dc=example,dc=com
bind_policy soft
pam_check_host_attr yes pam_password md5 nss_base_passwd ou=People,dc=example,dc=com nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=Groups,dc=example,dc=com?one
On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu anton.chu@telecommand.comwrote:
Ok here's what you suggested:
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
- Stopping Name Service Cache Daemon
nscd [ OK ] root@webtest111:/etc/pam.d# getent passwd | grep tony tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash root@webtest111:/etc/pam.d# getent passwd tony root@webtest111:/etc/pam.d#
I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap.
Thanks for the tips.
Regards
On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne < bgmilne@staff.telkomsa.net> wrote:
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP
server.
I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
> group: files ldap [NOTFOUND=return] db > > shadow: files ldap > > hosts: files dns > networks: files > > protocols: db files > services: db files > ethers: db files > rpc: db files
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
[...]
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan