ldap and nsswitch.conf and maybe PAM

Message

slam_head · Post by **slam_head** » Fri Mar 25, 2005 9:03 pm

In debugging my samba problems I've found out that it's actually a problem with the system not reading my nsswitch.conf file. Is there a way to force a reread of the file, or is this a pam issue?

Code: Select all

hand root # ls -la /etc/nsswitch.conf
-rw-r--r--  1 root root 515 Mar 25 15:16 /etc/nsswitch.conf

Code: Select all

hand root # cat /etc/nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      files ldap
shadow:      files ldap
group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns wins
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

Code: Select all

hand root # getent passwd ldapuser
hand root #

bone · Post by **bone** » Fri Mar 25, 2005 9:31 pm

Check my thread here. I had the same issue.

http://forums.gentoo.org/viewtopic-t-31 ... ight-.html

I had to go through a ton of downgrades/upgrades to solve the issue.

jt

slam_head · Post by **slam_head** » Mon Mar 28, 2005 3:42 pm

I read your post but I didn't have to mask any of the packages. You must have the ~x86 in your make.conf. I do think it is an issue with PAM though. Does anyone know what the appropriate setting are and which PAM files need to be adjusted?

slam_head · Post by **slam_head** » Mon Mar 28, 2005 3:57 pm

Here's some output from /var/log/messages that might help.

Code: Select all

Mar 28 10:55:10 hand slapd[13165]: conn=12 fd=18 ACCEPT from IP=127.0.0.1:32865 (IP=127.0.0.1:389)
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=0 BIND dn="cn=samba,ou=DSA,dc=strozllc,dc=com" method=128
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=0 BIND dn="cn=samba,ou=DSA,dc=STROZLLC,dc=COM" mech=SIMPLE ssf=0
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=0 RESULT tag=97 err=0 text=
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=1 SRCH base="" scope=0 filter="(objectClass=*)"
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=1 SRCH attr=supportedControl
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=1 RESULT tag=101 err=0 text=
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=2 SRCH base="dc=strozllc,dc=com" scope=2 filter="(&(&(objectClass=sambaSamAccount)(uid=dave))(objectClass=sambaSamAccount))"
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 28 10:55:10 hand slapd[13215]: conn=12 op=3 UNBIND
Mar 28 10:55:10 hand slapd[13215]: conn=12 fd=18 closed
Mar 28 10:55:10 hand slapd[13165]: conn=13 fd=18 ACCEPT from IP=127.0.0.1:32866 (IP=127.0.0.1:389)
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=0 BIND dn="cn=samba,ou=DSA,dc=strozllc,dc=com" method=128
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=0 BIND dn="cn=samba,ou=DSA,dc=STROZLLC,dc=COM" mech=SIMPLE ssf=0
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=0 RESULT tag=97 err=0 text=
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=1 SRCH base="" scope=0 filter="(objectClass=*)"
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=1 SRCH attr=supportedControl
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=1 RESULT tag=101 err=0 text=
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=2 SRCH base="dc=strozllc,dc=com" scope=2 filter="(&(&(objectClass=sambaSamAccount)(uid=dave))(objectClass=sambaSamAccount))"
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
Mar 28 10:55:10 hand slapd[13215]: conn=13 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=
Mar 28 10:55:10 hand slapd[13165]: conn=13 fd=18 closed
Mar 28 10:55:22 hand slapd[13165]: conn=14 fd=18 ACCEPT from IP=127.0.0.1:32867 (IP=127.0.0.1:389)
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=0 BIND dn="cn=samba,ou=DSA,dc=strozllc,dc=com" method=128
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=0 BIND dn="cn=samba,ou=DSA,dc=STROZLLC,dc=COM" mech=SIMPLE ssf=0
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=0 RESULT tag=97 err=0 text=
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=1 SRCH base="" scope=0 filter="(objectClass=*)"
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=1 SRCH attr=supportedControl
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=1 RESULT tag=101 err=0 text=
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=2 SRCH base="dc=strozllc,dc=com" scope=2 filter="(&(&(objectClass=sambaSamAccount)(uid=dsonenberg))(objectClass=sambaSamAccount))"
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp
Mar 28 10:55:22 hand slapd[13215]: conn=14 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Mar 28 10:55:22 hand slapd[13165]: conn=15 fd=20 ACCEPT from IP=127.0.0.1:32868 (IP=127.0.0.1:389)
Mar 28 10:55:22 hand slapd[13215]: conn=15 op=0 BIND dn="cn=nssldap,ou=DSA,dc=STROZLLC,dc=COM" method=128
Mar 28 10:55:22 hand slapd[13215]: conn=15 op=0 RESULT tag=97 err=49 text=
Mar 28 10:55:22 hand slapd[13215]: conn=15 op=1 UNBIND
Mar 28 10:55:22 hand slapd[13215]: conn=15 fd=20 closed
Mar 28 10:55:22 hand slapd[13165]: conn=14 fd=18 closed

slam_head · Post by **slam_head** » Wed Mar 30, 2005 5:19 pm

Ok I think this a PAM issue. It appears the system is not reading the nsswitch.conf. When I run:

Code: Select all

hand root # getent passwd

I only get the system accounts even though I have specified

Code: Select all

hand root # cat /etc/nsswitch.conf
# /etc/nsswitch.conf:
# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      files ldap
shadow:      files ldap
group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns wins
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files
bootparams:  files

automount:   files
aliases:     files

Please help. This appears to be a gentoo issue and not a Samba or LDAP. Any ideas?

Arkanjo · Post by **Arkanjo** » Fri Apr 01, 2005 1:15 am

I have Samba+Ldap working pretty good here.

Ok. So let's start with some questions, your /etc/nsswitch.conf it's correct no problems there.

Here is what I have installed:

Code: Select all

*  net-libs/nss_ldap
      Latest version available: 226
      Latest version installed: 226
      Size of downloaded files: 207 kB
      Homepage:    http://www.padl.com/OSS/nss_ldap.html
      Description: NSS LDAP Module
      License:     LGPL-2

*  net-libs/pam_ldap
      Latest version available: 171
      Latest version installed: 171
      Size of downloaded files: 117 kB
      Homepage:    http://www.padl.com/OSS/pam_ldap.html
      Description: PAM LDAP Module
      License:     || ( GPL-2 LGPL-2 )

next check your /etc/ldap.conf the file is well comment, but here is the basic:

Code: Select all

host 127.0.0.1
base dc=example,dc=com
rootbinddn cn=nssldap,ou=DSA,dc=example,dc=com
pam_password exop

nss_base_passwd         dc=example,dc=com?sub
nss_base_shadow         dc=example,dc=com?sub
nss_base_group           ou=Groups,dc=example,dc=com?one

Of course you change it to assume your directory structure on LDAP.
Dont forget to put the password of nssldap on /etc/ldap.secret like this:

Code: Select all

minho root # cat /etc/ldap.secret
nssldap_password

That's all I can remenber, and here is the result:

minho root # getent passwd rnuno
rnuno1000:513:LDAP User:/opt/home/rnuno:/bin/bash

Hope that helps, regards

slam_head · Post by **slam_head** » Fri Apr 01, 2005 3:09 pm

Thanks that helped. It looked like it was the nss_base_xxx lines. I had them set to dc=domain,dc=com?one when it should have been ?sub. Thanks again.