Well I am totally stumped by this - I have tried all sorts of things and read pages of stuff on how to do this - some provided in this series of emails and some from around the web. Last week doing more of less what I have recorded here worked until everything fell apart with the upgrade to 1.3.10 So here is what I found and what I did with it - if anyone can see what I have done wrong or point me in the right direction I would be very happy!! -------------------------------------------------------------------
ldap server - Kubuntu8.04LTS server
ebox fresh install with existing dhcp server on network to give hostnames
(1.3.10)
Usersandgroups set up (slave) PDC setup and working, filesharing working, ldap
listening on all interfaces
check with slapcat
objectclass top is dn: dc=dcmc
objectclass symplesecurityobject is dn: cn=admin,dc=dcmc (description: ldap
administrator)
ldapsearch -h localhost -xLLL -b dc=dcmc on the server lists dc=dcmc at the
top
ou=Users,dc=dcmc is followed by all the users I have added
all have a homedirectory and sambahomepath with a login shell of
/bin/bash
ou=Groups,dc=dcmc follows with my groups and ebox system groups
ou=Computers,dc=dcmc
ou=Idmap,dc=dcmc
sambadomainname=DCMC,dc=dcmc
ou=postfix,dc=dcmc contains vdomains and mailalias
ldapsearch -h localhost -xLLL -b dc=dcmc -D "cn=ebox,dc=dcmc" -W lists the
same info as before but does it bound with the ebox ldap password (does not
work using cn=admin,dc=dcmc as the bind address
these searches also work from other machines on the network not just on the
server at localhost
--------------------------------------------------------------------------------------------
The Clients
A fresh install of a virtual Kubuntu9.10 machine and a virtual Kubuntu8.04
machine
Install all updates
Install openssh-server (for login testing)
Install ldap-auth-client
enter ldap://192.168.1.7
enter dn for search base dc=dcmc
use ldap version 3
make local root database admin yes
required to login no (answered yes here for the 8.04 install)
{using cn=admin,dc=dcmc at these 2 points does not work although slapcat
suggests it should, at least to me it does}
ldap root login cn=ebox,dc=dcmc
ldap root password taken from ldap.secrets (which matches the ebox file as
well)
edit the file /etc/auth-client-config/profile.d/ldap-auth-config so that it
contains the following
------------
[lac_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: files nis
pam_auth=auth required pam_env.so
auth sufficient pam_unix.so likeauth nullok
#the following line (containing pam_group.so) must be placed before
pam_ldap.so
#for ldap users to be placed in local groups such as fuse, plugdev, scanner,
etc ...
auth required pam_group.so use_first_pass
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
pam_account=account sufficient pam_unix.so
account sufficient pam_ldap.so
account required pam_deny.so
pam_password=password sufficient pam_unix.so nullok md5 shadow
password sufficient pam_ldap.so use_first_pass
password required pam_deny.so
pam_session=session required pam_limits.so
session required pam_mkhomedir.so skel=/etc/skel/
session required pam_unix.so
session optional pam_ldap.so
--------------
sudo auth-client-config -a -p lac_ldap
getent passwd - lists local and ldap users
getent group - lists local and ldap groups
ssh into localhost with an ldap username - permission denied, auth.log shows
pam_ldap: error trying to bind as user "uid=peter.roots,ou=Users,dc=dcmc"
(Invalid credentials)
edited /etc/ldap.conf to include a binddn and bindpw cn=ebox,dc=dcmc with the
ebox ldap password (without pw getent fails)
getent passwd and group work but ssh still fails (same as before)
rebooted and tried to log in anyway - auth.log shows this
Dec 1 15:23:40 virtual-laptop9-10 kdm: :0[1179]: pam_unix(kdm:auth):
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
user=peter.roots
Dec 1 15:23:48 virtual-laptop9-10 kdm: :0[1179]: pam_unix(kdm:auth):
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=
user=peter.roots
tried to su to ldap user
Dec 1 15:28:36 virtual-laptop9-10 su[1473]: pam_unix(su:auth): authentication
failure; logname= uid=1000 euid=0 tty=/dev/pts/1 ruser=peter rhost=
user=peter.roots
Dec 1 15:28:36 virtual-laptop9-10 su[1473]: pam_ldap: error trying to bind as
user "uid=peter.roots,ou=Users,dc=dcmc" (Invalid credentials)
Dec 1 15:28:38 virtual-laptop9-10 su[1473]: pam_authenticate: Authentication
failure
Dec 1 15:28:38 virtual-laptop9-10 su[1473]: FAILED su for peter.roots by
peter
Dec 1 15:28:38 virtual-laptop9-10 su[1473]: - /dev/pts/1 peter:peter.roots
tried ssh again
Dec 1 15:30:32 virtual-laptop9-10 sshd[1477]: pam_unix(sshd:auth):
authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost
user=peter.roots
Dec 1 15:30:32 virtual-laptop9-10 sshd[1477]: pam_ldap: error trying to bind
as user "uid=peter.roots,ou=Users,dc=dcmc" (Invalid credentials)
Dec 1 15:30:34 virtual-laptop9-10 sshd[1477]: Failed password for peter.roots
from ::1 port 38633 ssh2
Using the same ldap user as above I am able to join a windowsXP machine to the
DCMC domain and then login to that computer without any problems (also a
virtual machine)
The server providing ldap and PDC functions is a real machine, not virtual, as
are the other 2 ebox machines on my network
(The Kubuntu8.04 install gave the same sort of responses and the same lack of
success)
(trying with ebox-desktop in Kubuntu or Ubuntu 9.10 also failed but I did not
take detailed notes as I went along but I did use the same base set of details
to do the setup with)
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ ebox-user mailing list [email protected] http://lists.ebox-platform.com/cgi-bin/mailman/listinfo/ebox-user
