I have setup a debian sarge ldap+samba server and for the most part it is working well. All the windows clients work fine (so far), just the problem arises when users logging into linux machines try to change their password.
All users can login to the client with username/passwords stored on the ldap master. When logged into the master and changing passwords with passwd, it works fine. When I try (as root) to change the password for any user accounts that are in the ldap db from a client, I keep getting passwd: Authentication service cannot retrieve authentication info. I'm thinking it's a pam issue but I'm not too sure. I have installed the libnss and pam_ldap libraries, and thought I configured pam correctly (ldap users can login). Here is my libnss-ldap.conf which is symlinked to pam_ldap.conf aswell (domain/ip info x'd out) and also some log snippets when it works and when it doesn't Thanks Ryan ######################### /etc/libnss-ldap.conf ######################## base ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx uri ldap://ldap.xxx.xx.xx.xx/ ldap_version 3 binddn cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx bindpw ldap rootbinddn cn=root,dc=xxx,dc=xx,dc=xx,dc=xx nss_base_passwd ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx nss_base_group ou=Groups,dc=xxx,dc=xx,dc=xx,dc=xx nss_base_shadow ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx TLS_CACERT /etc/ldap/certs/cacert.pem ssl start_tls #ssl no ####################################################################### scope sub pam_password md5 pam_filter objectclass=posixAccount # search all entries where the object class equals posixAccount pam_login_attribute uid # the username is stored in the attribute uid Here is an example of changing the password locally on the master ldap:/var/log# id ryan.braun uid=1009(ryan.braun) gid=513(Domain Users) groups=513(Domain Users) ldap:/var/log# su ryan.braun I have no [EMAIL PROTECTED]:/var/log$ passwd Enter login(LDAP) password: New password: Re-enter new password: LDAP password information changed for ryan.braun passwd: password updated successfully slapd.log Jul 26 18:14:16 ldap slapd[3856]: conn=38 fd=21 ACCEPT from IP=192.xx.xxx.xx:33360 (IP=0.0.0.0:389) Jul 26 18:14:16 ldap slapd[3859]: conn=38 op=1 BIND dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" method=128 Jul 26 18:14:16 ldap slapd[3859]: conn=38 op=1 BIND dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0 Jul 26 18:14:16 ldap slapd[3859]: conn=38 op=1 RESULT tag=97 err=0 text= Jul 26 18:14:16 ldap slapd[3858]: conn=38 op=2 SRCH base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ryan.braun))" Jul 26 18:14:16 ldap slapd[3858]: conn=38 op=2 ENTRY dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" Jul 26 18:14:16 ldap slapd[3858]: conn=38 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 BIND anonymous mech=implicit ssf=0 Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 BIND dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" method=128 Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 BIND dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0 Jul 26 18:14:18 ldap slapd[3859]: conn=38 op=3 RESULT tag=97 err=0 text= Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 BIND anonymous mech=implicit ssf=0 Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 BIND dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" method=128 Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 BIND dn="cn=root,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0 Jul 26 18:14:18 ldap slapd[3858]: conn=38 op=4 RESULT tag=97 err=0 text= Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=5 MOD dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=5 MOD attr=userPassword Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=5 RESULT tag=103 err=0 text= Jul 26 18:14:22 ldap slapd[3858]: conn=38 op=6 MOD dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" Jul 26 18:14:22 ldap slapd[3858]: conn=38 op=6 MOD attr=shadowLastChange Jul 26 18:14:22 ldap slapd[3858]: conn=38 op=6 RESULT tag=103 err=0 text= Jul 26 18:14:22 ldap slapd[3859]: conn=38 op=7 UNBIND Jul 26 18:14:22 ldap slapd[3859]: conn=38 fd=21 closed Jul 26 18:14:22 ldap slapd[3856]: conn=37 fd=20 closed Jul 26 18:14:31 ldap slapd[3858]: conn=36 op=3 UNBIND Jul 26 18:14:31 ldap slapd[3858]: conn=36 fd=18 closed Jul 26 18:14:31 ldap slapd[3856]: conn=35 fd=13 closed And when it fails ldapclient:~# passwd ryan.braun passwd: Authentication service cannot retrieve authentication info. and slapd.log Jul 26 18:10:34 ldap slapd[3856]: conn=33 fd=13 ACCEPT from IP=192.xx.xxx.xx:34213 (IP=0.0.0.0:389) Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=0 BIND dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" method=128 Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=0 BIND dn="cn=nss,ou=Admins,dc=xxx,dc=xx,dc=xx,dc=xx" mech=SIMPLE ssf=0 Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=0 RESULT tag=97 err=0 text= Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 SRCH base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ryan.braun))" Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 ENTRY dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 SRCH base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=ryan.braun))" Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 SRCH attr=uid userPassword uidNumber gidNumber cn homeDirectory loginShell gecos description objectClass Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 ENTRY dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" Jul 26 18:10:34 ldap slapd[3859]: conn=33 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 SRCH base="ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" scope=2 deref=0 filter="(&(objectClass=shadowAccount)(uid=ryan.braun))" Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 SRCH attr=uid userPassword shadowLastChange shadowMax shadowMin shadowWarning shadowInactive shadowExpire shadowFlag Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 ENTRY dn="uid=ryan.braun,ou=Users,dc=xxx,dc=xx,dc=xx,dc=xx" Jul 26 18:10:34 ldap slapd[3858]: conn=33 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text= Jul 26 18:10:34 ldap slapd[3856]: conn=33 fd=13 closed -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
