I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following:
sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds
Here's my /etc/nsswitch.conf:
passwd: files ldap [NOTFOUND=return] db
I can nss_updatedb ldap succssfully: # nss_updatedb ldap passwd... done. group... done.
I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.
However, I cannot do an id ldapuser
ex: $ id tony id: tony: No such user
Here's my auth.log:
Dec 1 21:08:17 webdev120 sshd[14765]: pam_unix(sshd:auth): check pass; user
unknown
Here's my syslog:
sshd[14648]: Libgcrypt warning: missing initialization - please fix the
application
Here's my /etc/pam.d/commoun-auth:
auth [success=4 default=ignore] pam_unix.so nullok_secure
Here's my /etc/pam.d/common-account:
# here are the per-package modules (the "Primary" block)
ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.
Any insights appreciated.
On Dec 01, 2010, at 16.37, Anton Chu wrote:
my recommendation would be to move away from libnss-ldap and libpam-ldap, and to use nss-pam-ldapd, available in ubuntu via the libnss-ldapd, libpam-ldapd and nslcd packages. it may not explicitly solve your problem, but it will likely make troubleshooting things easier. also, until you have a functioning, proper setup, remove things like nss-updatedb, libnss-db and nscd. once things are working, if you feel some degree of caching is needed, address that as an independent item.
-ben
On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
Please compare these two:
$ getent passwd |grep tony $ getent passwd tony
If the first succeeds (returns a line looking like /etc/passwd), and the second fails (returns nothing), then you probably have a negative cache from nscd. Stop nscd, and test again.
[...]
In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one of the newer options (e.g. sssd) may be a better option.
Regards, Buchan
Ok here's what you suggested:
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
I'll start a reinstall of the other packages instead of libnss-ldap and libpam-ldap.
Thanks for the tips.
Regards
On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne bgmilne@staff.telkomsa.netwrote:
On another machine, tried this howto after purging the above above packages.
http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2
sudo apt-get install libnss-ldapd libpam-ldapd
Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.
here's my /etc/ldap.conf
cat /etc/ldap.conf | grep -v ^# | grep -v ^$ base dc=example,dc=com uri ldap://10.112.18.2 ldap_version 3 bindpw secret rootbinddn cn=admin,dc=example,dc=com bind_policy soft pam_check_host_attr yes pam_password md5 nss_base_passwd ou=People,dc=example,dc=com nss_base_shadow ou=People,dc=example,dc=com?one nss_base_group ou=Groups,dc=example,dc=com?one
On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu anton.chu@telecommand.com wrote:
NSCD daemon is the culprit. Here's the error when I do id tony:
[CODE] nscd -d Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257 Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony) Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password cache! Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password cache! Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony" Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file:
[CODE] cat /etc/nscd.conf | grep -v ^# | grep -v ^$ debug-level 0 paranoia no enable-cache passwd yes positive-time-to-live passwd 600 negative-time-to-live passwd 20 suggested-size passwd 211 check-files passwd yes persistent passwd yes shared passwd yes max-db-size passwd 33554432 auto-propagate passwd yes enable-cache group yes positive-time-to-live group 3600 negative-time-to-live group 60 suggested-size group 211 check-files group yes persistent group yes shared group yes max-db-size group 33554432 auto-propagate group yes enable-cache hosts no positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 enable-cache services yes positive-time-to-live services 28800 negative-time-to-live services 20 suggested-size services 211 check-files services yes persistent services yes shared services yes max-db-size services 33554432
[/CODE]
On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu anton.chu@telecommand.com wrote:
Here's the latest as to why I cannot ID my ldap user. I set up hostObject attribute in my ldap server to enable host based authentication. I then added the following in /etc/ldap.conf
On the client side, simply modify /etc/pam_ldap.conf to include these lines:
pam_check_host_attr yes pam_filter |(host=client_hostname)(host=*)
I've added the host attribute to all my ldap users to login certain hosts. That's when I cannot id my ldap users.
Somehow pam is not allowing caching when this host based authentication is turned on.
On Thu, Dec 2, 2010 at 2:26 PM, Anton Chu anton.chu@telecommand.com wrote:
SOLVED: I added ldapns.schema to enable host based authentication and the users before the schema upgrade caused this caching to stop. I added a new user after the schema upgrade and all is well.
On Fri, Dec 3, 2010 at 12:58 PM, Anton Chu anton.chu@telecommand.comwrote:
openldap-technical@openldap.org
-
Anton Chu -
ben thielsen -
Buchan Milne