-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Guys, I need another set of eyes on this one...I know it is something simple (probably even obvious), but I can't for the life of me see it now. I'm building a test server (on LFS-6.6 host), to place all users in LDAP, (eventually a similar config will remove the necessity of the flat files). For some reason, pam_ldap is not authenticating correctly, and I just can't see it. All passwords are 'password' just FYI (it is only a test server for POC, so no worries about posting passwords). I've wiped everything about 10 times now and started fresh yet again.
I've populated the directory using the IdealX smbldap tools. No kerberos or tls to worry about for now. Samba is working correctly, as are ldap binds using "-x -D uid=root,ou=Users,dc=lucasit,dc=local -W" and supplying the password of 'password', Samba config files are not listed here, but the rest of the directory information is, including a full ldif. What I'm actually seeing upon login is that the password is prompted for twice, once for the normal password and once again for LDAP, which shouldn't be happening because of the try_first_pass parameter to pam_ldap.so. Authentication is actually failing because it is a sufficient directive, not required, but the root user can still log in using files. I was thinking that it might be related to the sasldb support in openldap, but I don't think so as the login errors when set to required do not mention sasl bind (as with openldap tools when omitting simple bind switch (-x). Below are the files necessary to make it all work (I think), separated by star characters, additional info is available upon request. TIA -- DJ PS - Yes I'm competing for the "Useless Use of cat" award! ********************************************************************* r...@anu:~ $ cat /etc/pam.d/login # Begin /etc/pam.d/login auth requisite pam_nologin.so auth required pam_securetty.so auth required pam_unix.so auth sufficient pam_ldap.so try_first_pass account required pam_access.so account required pam_unix.so account sufficient pam_ldap.so session required pam_env.so session required pam_motd.so session required pam_limits.so session optional pam_mail.so dir=/var/mail standard session optional pam_lastlog.so session required pam_unix.so session sufficient pam_ldap.so password required pam_cracklib.so retry=3 password required pam_unix.so md5 shadow use_authtok password sufficient pam_ldap.so try_first_pass # End /etc/pam.d/login ********************************************************************* r...@anu:~ $ cat /etc/nsswitch.conf # Begin /etc/nsswitch.conf passwd: ldap files group: ldap files shadow: ldap files hosts: files dns networks: files protocols: files services: files ethers: files rpc: files # End /etc/nsswitch.conf ********************************************************************* r...@anu:~ $ cat /etc/ldap.conf BASE dc=lucasit,dc=local HOST ldap://127.0.0.1 pam_crypt local ********************************************************************* r...@anu:~ $ cat /etc/openldap/ldap.conf base dc=lucasit,dc=local uri ldap://anu.lucasit.local bind_policy soft bind_timelimit 10 host localhost idle_timelimit 3600 ldap_version 3 nss_base_group ou=Groups,dc=lucasit,dc=local?one nss_base_passwd ou=Users,dc=lucasit,dc=local?one nss_base_passwd ou=Computers,dc=lucasit,dc=local?one nss_base_shadow ou=Users,dc=lucasit,dc=local?one nss_connect_policy persist nss_paged_results yes pagesize 1000 port 389 scope one timelimit 30 ********************************************************************* r...@anu:~ $ cat /etc/nss_ldap.conf base dc=lucasit,dc=local uri ldap://anu.lucasit.local bind_policy soft bind_timelimit 10 host localhost idle_timelimit 3600 ldap_version 3 nss_base_group ou=Groups,dc=lucasit,dc=local?one nss_base_passwd ou=Users,dc=lucasit,dc=local?one nss_base_passwd ou=Computers,dc=lucasit,dc=local?one nss_base_shadow ou=Users,dc=lucasit,dc=local?one nss_connect_policy persist nss_paged_results yes pagesize 1000 port 389 scope one timelimit 30 ********************************************************************* r...@anu:~ $ cat /etc/openldap/slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/openldap.schema include /etc/openldap/schema/samba.schema # Define global ACLs to disable default read access. #### Note, these ACLs were temporarily commented out so I could show #### the passwords in the ldapsearch output below, which I just #### realized that they were incorrect, but are of no importance to the #### current issue with pam_ldap. #access to attrs=sambaLMPassword # by self write # by anonymous auth # by dn.base="cn=root,dc=lucasit,dc=local" write # by * none #access to attrs=sambaNTPassword # by self write # by anonymous auth # by dn.base="cn=root,dc=lucasit,dc=local" write # by * none #access to attrs=userPassword # by self write # by anonymous auth # by dn.base="cn=root,dc=lucasit,dc=local" write # by * none #access to * # by self write # by dn.base="cn=root,dc=lucasit,dc=local" write # by users read # Set loglevel to 256...good logs on local4 facility #loglevel 256 # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org pidfile /srv/ldap/run/slapd.pid argsfile /srv/ldap/run/slapd.args # Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_hdb.la # moduleload back_ldap.la ####################################################################### # BDB database definitions ####################################################################### database bdb suffix "dc=lucasit,dc=local" rootdn "cn=Manager,dc=lucasit,dc=local" # Cleartext passwords, especially for the rootdn, should # be avoid. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. rootpw {SSHA}8y3KylLSw4G/EZx+0sDcsrbHVvHWW7ds # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /srv/ldap/openldap-data # Indices to maintain index objectClass eq index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUID eq,subinitial index mail eq,subinitial index givenname eq,subinitial index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub ********************************************************************* r...@anu:~ $ ldapsearch -x # extended LDIF # # LDAPv3 # base <dc=lucasit,dc=local> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # lucasit.local dn: dc=lucasit,dc=local objectClass: dcObject objectClass: organization o: lucasit dc: lucasit # Users, lucasit.local dn: ou=Users,dc=lucasit,dc=local objectClass: top objectClass: organizationalUnit ou: Users # Groups, lucasit.local dn: ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: organizationalUnit ou: Groups # Computers, lucasit.local dn: ou=Computers,dc=lucasit,dc=local objectClass: top objectClass: organizationalUnit ou: Computers # root, Users, lucasit.local dn: uid=root,ou=Users,dc=lucasit,dc=local cn: root sn: root objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 0 uid: root uidNumber: 0 homeDirectory: /home/root sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaHomePath: \\anu\root sambaHomeDrive: H: sambaPrimaryGroupSID: S-1-5-21-1997694480-2877811493-4162974799-512 sambaSID: S-1-5-21-1997694480-2877811493-4162974799-500 loginShell: /bin/bash gecos: Netbios Domain Administrator mail: [email protected] mail: [email protected] mail: [email protected] mail: [email protected] mail: [email protected] mail: [email protected] sambaLMPassword: E52CAC67419A9A224A3B108F3FA6CB6D sambaAcctFlags: [U] sambaNTPassword: 8846F7EAEE8FB117AD06BDD830B7586C sambaPwdLastSet: 1276580302 sambaPwdMustChange: 87676580302 userPassword:: e1NTSEF9ZW84M2s0RkNRcGpwQ0lNd3dWVkJNbWhaN1NCQ2R6VmE= # nobody, Users, lucasit.local dn: uid=nobody,ou=Users,dc=lucasit,dc=local cn: nobody sn: nobody objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: sambaSamAccount objectClass: posixAccount objectClass: shadowAccount gidNumber: 99 uid: nobody uidNumber: 99 homeDirectory: /dev/null sambaPwdLastSet: 0 sambaLogonTime: 0 sambaLogoffTime: 2147483647 sambaKickoffTime: 2147483647 sambaPwdCanChange: 0 sambaPwdMustChange: 2147483647 sambaHomePath: \\anu\nobody sambaHomeDrive: H: sambaPrimaryGroupSID: S-1-5-21-1997694480-2877811493-4162974799-514 sambaLMPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaNTPassword: NO PASSWORDXXXXXXXXXXXXXXXXXXXXX sambaAcctFlags: [NUD ] sambaSID: S-1-5-21-1997694480-2877811493-4162974799-2998 loginShell: /bin/bash # Domain Admins, Groups, lucasit.local dn: cn=Domain Admins,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 512 cn: Domain Admins memberUid: root description: Netbios Domain Administrators sambaSID: S-1-5-21-1997694480-2877811493-4162974799-512 sambaGroupType: 2 displayName: Domain Admins # Domain Users, Groups, lucasit.local dn: cn=Domain Users,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 513 cn: Domain Users description: Netbios Domain Users sambaSID: S-1-5-21-1997694480-2877811493-4162974799-513 sambaGroupType: 2 displayName: Domain Users # Domain Guests, Groups, lucasit.local dn: cn=Domain Guests,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 514 cn: Domain Guests description: Netbios Domain Guests Users sambaSID: S-1-5-21-1997694480-2877811493-4162974799-514 sambaGroupType: 2 displayName: Domain Guests # Domain Computers, Groups, lucasit.local dn: cn=Domain Computers,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 515 cn: Domain Computers description: Netbios Domain Computers accounts sambaSID: S-1-5-21-1997694480-2877811493-4162974799-515 sambaGroupType: 2 displayName: Domain Computers # Administrators, Groups, lucasit.local dn: cn=Administrators,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 544 cn: Administrators description: Netbios Domain Members can fully administer the computer/sambaDom ainName sambaSID: S-1-5-32-544 sambaGroupType: 5 displayName: Administrators # Account Operators, Groups, lucasit.local dn: cn=Account Operators,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 548 cn: Account Operators description: Netbios Domain Users to manipulate users accounts sambaSID: S-1-5-32-548 sambaGroupType: 5 displayName: Account Operators # Print Operators, Groups, lucasit.local dn: cn=Print Operators,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 550 cn: Print Operators description: Netbios Domain Print Operators sambaSID: S-1-5-32-550 sambaGroupType: 5 displayName: Print Operators # Backup Operators, Groups, lucasit.local dn: cn=Backup Operators,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 551 cn: Backup Operators description: Netbios Domain Members can bypass file security to back up files sambaSID: S-1-5-32-551 sambaGroupType: 5 displayName: Backup Operators # Replicators, Groups, lucasit.local dn: cn=Replicators,ou=Groups,dc=lucasit,dc=local objectClass: top objectClass: posixGroup objectClass: sambaGroupMapping gidNumber: 552 cn: Replicators description: Netbios Domain Supports file replication in a sambaDomainName sambaSID: S-1-5-32-552 sambaGroupType: 5 displayName: Replicators # LUCASIT, lucasit.local dn: sambaDomainName=LUCASIT,dc=lucasit,dc=local objectClass: top objectClass: sambaDomain objectClass: sambaUnixIdPool sambaDomainName: LUCASIT sambaSID: S-1-5-21-1997694480-2877811493-4162974799 uidNumber: 10000 gidNumber: 10000 sambaPwdHistoryLength: 0 sambaMaxPwdAge: -1 # search result search: 2 result: 0 Success # numResponses: 17 # numEntries: 16 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (GNU/Linux) iQIcBAEBAgAGBQJMFx1cAAoJEEuKOnIORKixWZIP/inl6h1N+YBxxoMddEq4Wxb4 NUHmd0QtWernd4sYhItLF3u2jsz15+M4+Q6SmV4216nFqCtfL6RFnuWgB2QB2vQl 7o5xiztfxkGnwFfZXvpyw5HKtB88nmcM5GBvmrzdSBN8wwM2iEwO2niLWY8TwFBR KhZ/XMAmZ8Tt9dyGMHhVVceXqnJxp6OTloU2OEmCnky7/D69wb2Pf5ckHCRfVGjZ NF5Rdr2in8BgAWDJ7/5zu/7ioemz6t21tjPjdb2QDxfjxnXaKjOkVk93L9XkjCBh 2nYVZSt6fQKIcv3Px0fOv5csrjdopsSNGQb9hCj3gopYZx4EGPAvkKtdnN1qDDL/ orGNw2z4IA7FVU91Hyw+MZCQ6CgrPPZLHN0zMdEPEUPGXx2nt8YwOZDHfAknweYE /+AcaLLKqGZDl1k055k51s+JDPUQQ+NMKxp04IpI6gCeh4ebwGl9BxGghOdO6Pi1 VJWAGoGc9mkfeE3qrvyT+SbxmeIkrQPE/uSYxiCLXiAk7DR93qz0nHxkcz6c03x9 aAziqb35DW2jYECrAzp0hPV0Qc9Jk6fQ5bIWRE3fxzMBxYtWdMChUIlM2laisrmp iH1LTVVKaNDJduTLW1z6j5srghICTf+8LIQSN18EN+QbebJJ0PlonnwQqgNm1Zf7 6HoSHG9Mvbk8KfiMtLJq =A5zl -----END PGP SIGNATURE----- -- This message has been scanned for viruses and dangerous content, and is believed to be clean. -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
