Re: samba/ldap/nss

[Jamie Thompson]

Have you tested that the authentication for PAM is working correctly?
Try logging in using whatever auth you are using for it and check it can
read the entiries it needs. libnss-ldap and pam_ldap have different
config files. Sounds like nss is working correctly (i.e. its showing
both users), but the auth is failing for whatever reason.

My files are:

common-password:
password        sufficient      pam_ldap.so     ignore_unknown_user
password        required        pam_unix.so     try_first_pass nullok obscure 
min=4 max=8 md5

common-auth:
auth    sufficient      pam_ldap.so
auth    required        pam_unix.so     use_first_pass nullok_secure

common-account:
account sufficient      pam_ldap.so
account required        pam_unix.so     use_first_pass

common-session:
session required        pam_unix.so

pam_ldap.conf:
host 127.0.0.1
base ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=.
ldap_version 3
binddn cn=pam,dc=jamie-thompson,dc=co,dc=uk,dc=.
bindpw <snip>
rootbinddn cn=admin,dc=jamie-thompson,dc=co,dc=uk,dc=.
timelimit 30
bind_timelimit 30
idle_timelimit 3600
pam_password crypt

libnss-ldap.conf:
host 127.0.0.1
base dc=jamie-thompson,dc=co,dc=uk,dc=.
ldap_version 3
binddn cn=nss,dc=jamie-thompson,dc=co,dc=uk,dc=.
bindpw <snip>
rootbinddn cn=admin,dc=jamie-thompson,dc=co,dc=uk,dc=.
timelimit 60
bind_timelimit 60
bind_policy hard
idle_timelimit 240
nss_base_passwd         ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_shadow         ou=Accounts,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_group          ou=Groups,dc=jamie-thompson,dc=co,dc=uk,dc=.
#nss_base_hosts         ou=Hosts,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_services       ou=Services,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_networks       ou=Networks,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_protocols      ou=Protocols,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_rpc            ou=Rpc,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_ethers         ou=Ethers,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_netmasks       ou=Networks,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_bootparams     ou=Ethers,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_aliases        ou=Aliases,dc=jamie-thompson,dc=co,dc=uk,dc=.
nss_base_netgroup       ou=Netgroup,dc=jamie-thompson,dc=co,dc=uk,dc=.

Obviously, I've trimmed these slightly, but hopefully that should help.
I use a similar config on my workstations so that they authenticate/NSS
via LDAP to the server. I suspect that although what I have works, it's
not *quite* the correct way. For one thing, I never did get round to
setting up TLS. Luckily, I trust my LAN for the time being :)

signature.asc
Description: OpenPGP digital signature