Hi,
I have problems with debian etch Linux clients resolving group names served by our LDAP server. user and passwd work because I can login properly. "getent group" properly shows the group served by the LDAP server. eg: #getent group mygroup:x:1000:chris
However "id username" only shows LDAP served groupIDs but not their names. eg: #id chris uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup directoryname" gives: "chgrp: invalid group `mygroup'"
I am using nscd and nsswitch.conf says: passwd: files ldap group: files ldap shadow: files ldap
Any ideas?
Thanks!
In your /etc/libnss-ldap.conf do you have
pam_groupdn ou=Groups,dc=example,dc=com pam_member_attribute uniquemember nss_base_group ou=Group,dc=example,dc=com?one
set? Those have bitten me in the past. You should also check /etc/pam_ldap.conf
Pat
On Fri, 2008-02-29 at 17:43 +0000, Christian Weihrauch wrote:
Hi,
I have problems with debian etch Linux clients resolving group names served by our LDAP server. user and passwd work because I can login properly. "getent group" properly shows the group served by the LDAP server. eg: #getent group mygroup:x:1000:chris
However "id username" only shows LDAP served groupIDs but not their names. eg: #id chris uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup directoryname" gives: "chgrp: invalid group `mygroup'"
I am using nscd and nsswitch.conf says: passwd: files ldap group: files ldap shadow: files ldap
Any ideas?
Thanks!
Hi Pat,
On 29 Feb 2008, at 18:04, Pat Riehecky wrote:
In your /etc/libnss-ldap.conf do you have
pam_groupdn ou=Groups,dc=example,dc=com pam_member_attribute uniquemember nss_base_group ou=Group,dc=example,dc=com?one
I don't have any pam_* settings enabled. I have tried with and without nss_base_group with no luck.
set? Those have bitten me in the past. You should also check /etc/pam_ldap.conf
Here I didn't try the pam_groupdn because I didn't wan to enforce a group membership.
Thanks!
Chris
Pat
On Fri, 2008-02-29 at 17:43 +0000, Christian Weihrauch wrote:
Hi,
I have problems with debian etch Linux clients resolving group names served by our LDAP server. user and passwd work because I can login properly. "getent group" properly shows the group served by the LDAP server. eg: #getent group mygroup:x:1000:chris
However "id username" only shows LDAP served groupIDs but not their names. eg: #id chris uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup directoryname" gives: "chgrp: invalid group `mygroup'"
I am using nscd and nsswitch.conf says: passwd: files ldap group: files ldap shadow: files ldap
Any ideas?
Thanks!
On Friday 29 February 2008 19:43:30 Christian Weihrauch wrote:
Hi,
I have problems with debian etch Linux clients resolving group names served by our LDAP server. user and passwd work because I can login properly.
Do you have other clients which work correctly?
"getent group" properly shows the group served by the LDAP server. eg: #getent group mygroup:x:1000:chris
So, resolving group names actually works.
However "id username" only shows LDAP served groupIDs but not their names. eg: #id chris uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup directoryname" gives: "chgrp: invalid group `mygroup'"
I would stop nscd first, and test again.
I am using nscd and nsswitch.conf says:
(note that nsswitch doesn't have that much to do with nscd ... but nscd can make changes in nsswitch.conf take longer to apply, due to caching)
passwd: files ldap group: files ldap shadow: files ldap
I assume both the above commands (getent group, and id chris) were run as the same user, if not, you should specify if they were run as root or not in each case, as this could be a binddn/anonymous vs rootbinddn issue.
Regards, Buchan
Hi Buchan,
Buchan Milne wrote:
On Friday 29 February 2008 19:43:30 Christian Weihrauch wrote:
Hi,
I have problems with debian etch Linux clients resolving group names served by our LDAP server. user and passwd work because I can login properly.
Do you have other clients which work correctly?
No, I have 3 nodes which show the same problem. Having said that they are all debian etch with the same config.
"getent group" properly shows the group served by the LDAP server. eg: #getent group mygroup:x:1000:chris
So, resolving group names actually works.
Yes.
However "id username" only shows LDAP served groupIDs but not their names. eg: #id chris uid=1002(chris) gid=1000 groups=1000,20(dialout)
This means that I can't do things like chgrp eg: "chgroup mygroup directoryname" gives: "chgrp: invalid group `mygroup'"
I would stop nscd first, and test again.
Tried that with no luck.
I am using nscd and nsswitch.conf says:
(note that nsswitch doesn't have that much to do with nscd ... but nscd can make changes in nsswitch.conf take longer to apply, due to caching)
passwd: files ldap group: files ldap shadow: files ldap
I assume both the above commands (getent group, and id chris) were run as the same user, if not, you should specify if they were run as root or not in each case, as this could be a binddn/anonymous vs rootbinddn issue.
Makes no difference in my case root/user with/without nscd all the same outcome.
Thanks!
Chris
openldap-technical@openldap.org
-
Buchan Milne -
Christian Weihrauch -
Pat Riehecky