Hello. I just yesterday finished setting up a lab with ldap and nfs for a group of amd64 machines. It seems to be working smoothly at the moment.
On Thu, Jun 23, 2005 at 05:04:48PM -0700, Matt Dunford wrote: > On Thu, Jun 23, 2005 at 02:06:17PM -0400, Patrick Flaherty wrote: > > I'm a bit stumped on this, but a few things you could do to humor > > me/double check. > > > > check for duplicate username/group names. both in the system files and > > in ldap. > > There's definately some duplicates (tty, nobody, etc). But I'm not > sure what will happen if I take those out, the ldap server being in > production and all.. Is this wise? I ask, because I honestly don't know. I would assume that this is a bad idea. I would think there should be no possible dupblicate user mappings. Something is bound to get confused. In general I also think that there is probably no reason whatsoever to share system user account information anyway. Each machine should handle system accounts locally. System group information seems a bit trickier, though, since system group membership information would not be shared. I have been using getent to see what name service is reporting as all available users and groups. > > also make sure that nscd dosn't start before your ldap daemon > > > > my pam ssh file looks more like > > auth required pam_nologin.so > > auth sufficient pam_ldap.so > > auth sufficient pam_unix.so shadow use_first_pass > > auth required pam_deny.so I use the configuration recommended in the libpam-ldap README.Debian that looks like this: auth [success=1 default=ignore] pam_unix.so auth required pam_ldap.so use_first_pass auth required pam_permit.so for essentially all of my common-* pam config files (the above is my common-auth). This configuration seems to work for me. I wish I could be of more help. How do you know where it is that sshd hangs during the connection attempt? jamie. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
