Stephen Gallagher wrote:
On 06/28/2010 12:14 PM, Dan Scott wrote:

I've just installed a new Fedora 13 client and configured it to use
FreeIPA. During ipa-client install, I received the following error:

nss_ldap is not able to use DNS discovery! However, the /etc/ldap.conf
and /etc/krb5.conf appear to be configured correctly.

I am unable to login to the machine. Here is an extract from /var/log/secure:

Jun 28 12:12:01 pc45 sshd[2263]: Invalid user djscott from
Jun 28 12:12:01 pc45 sshd[2264]: input_userauth_request: invalid user djscott Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): check pass; user unknown
Jun 28 12:12:07 pc45 sshd[2263]: pam_unix(sshd:auth): authentication
failure; logname= uid=0 euid=0 tty=ssh ruser=
Jun 28 12:12:07 pc45 sshd[2263]: pam_succeed_if(sshd:auth): error
retrieving information about user djscott
Jun 28 12:12:09 pc45 sshd[2263]: Failed password for invalid user
djscott from port 50502 ssh2

Here is the PAM configuration:

[r...@pc45 ~]# cat /etc/pam.d/sshd
auth       required
auth       include      password-auth
account    required
account    include      password-auth
password   include      password-auth
# close should be the first session rule
session    required close
session    required
# open should only be followed by sessions to be
executed in the user context
session    required open env_params
#session    optional force revoke
session    include      password-auth

[r...@pc45 ~]# cat /etc/pam.d/password-auth
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required
auth        sufficient nullok try_first_pass
auth        requisite uid>= 500 quiet
auth        sufficient use_first_pass
auth        required

account     required broken_shadow
account     sufficient
account     sufficient uid<  500 quiet
account     [default=bad success=ok user_unknown=ignore]
account     required

password    requisite try_first_pass retry=3
password    sufficient sha512 shadow nullok
try_first_pass use_authtok
password    sufficient use_authtok
password    required

session     optional revoke
session     required
session     optional
session     [success=1 default=ignore] service in
crond quiet use_uid
session     required
session     optional
[r...@pc45 ~]#

Does anyone have any suggestions for why this is not working?

Fedora 13 is using nss-ldapd, not nss_ldap anymore. Probably ipa-client needs to be updated to modify /etc/nslcd.conf instead of /etc/ldap.conf.

I have a partial patch pending that should address this in v2. I'll need to clean things up and get it backported to v1.2 (bug


In the meantime, you might have better luck configuring sssd instead of nss-ldap for user lookups.

man sssd.conf
man sssd-ldap

Freeipa-users mailing list

Reply via email to