On 06/28/2010 12:14 PM, Dan Scott wrote:

I've just installed a new Fedora 13 client and configured it to use
FreeIPA. During ipa-client install, I received the following error:

nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf
and /etc/krb5.conf appear to be configured correctly.

I am unable to login to the machine. Here is an extract from /var/log/secure:

Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from
Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott
Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=pc35.example.com
Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error
retrieving information about user djscott
Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user
djscott from port 50502 ssh2

Here is the PAM configuration:

[r...@pc45 ~]# cat /etc/pam.d/sshd
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be
executed in the user context
session    required     pam_selinux.so open env_params
#session    optional     pam_keyinit.so force revoke
session    include      password-auth

[r...@pc45 ~]# cat /etc/pam.d/password-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid>= 500 quiet
auth        sufficient    pam_krb5.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid<  500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_krb5.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so sha512 shadow nullok
try_first_pass use_authtok
password    sufficient    pam_krb5.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in
crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so
[r...@pc45 ~]#

Does anyone have any suggestions for why this is not working?

Fedora 13 is using nss-ldapd, not nss_ldap anymore. Probably ipa-client needs to be updated to modify /etc/nslcd.conf instead of /etc/ldap.conf.

In the meantime, you might have better luck configuring sssd instead of nss-ldap for user lookups.

man sssd.conf
man sssd-ldap

Stephen Gallagher
RHCE 804006346421761

Delivering value year after year.
Red Hat ranks #1 in value among software vendors.

Freeipa-users mailing list

Reply via email to