NSCD daemon is the culprit. Here's the error when I do id tony:
[CODE] nscd -d
Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received
(Version = 2) from PID 14257
Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW
Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd
Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received
(Version = 2) from PID 14257
Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony)
Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password
cache!
Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password
cache!
Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony"
Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received
(Version = 2) from PID 14258[/CODE]Here's my nscd.conf file:
[CODE]
cat /etc/nscd.conf | grep -v ^# | grep -v ^$
debug-level 0
paranoia no
enable-cache passwd yes
positive-time-to-live passwd 600
negative-time-to-live passwd 20
suggested-size passwd 211
check-files passwd yes
persistent passwd yes
shared passwd yes
max-db-size passwd 33554432
auto-propagate passwd yes
enable-cache group yes
positive-time-to-live group 3600
negative-time-to-live group 60
suggested-size group 211
check-files group yes
persistent group yes
shared group yes
max-db-size group 33554432
auto-propagate group yes
enable-cache hosts no
positive-time-to-live hosts 3600
negative-time-to-live hosts 20
suggested-size hosts 211
check-files hosts yes
persistent hosts yes
shared hosts yes
max-db-size hosts 33554432
enable-cache services yes
positive-time-to-live services 28800
negative-time-to-live services 20
suggested-size services 211
check-files services yes
persistent services yes
shared services yes
max-db-size services 33554432
[/CODE]
On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu <[email protected]> wrote:
> On another machine, tried this howto after purging the above above
> packages.
>
> http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2<http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2>
>
> sudo apt-get install libnss-ldapd libpam-ldapd
>
> Still the same outcome. I can ldapsearch, getent, etc. but id cannot show
> the ldap users.
>
> here's my /etc/ldap.conf
>
> cat /etc/ldap.conf | grep -v ^# | grep -v ^$
> base dc=example,dc=com
> uri ldap://10.112.18.2
> ldap_version 3
> bindpw secret
> rootbinddn cn=admin,dc=example,dc=com
> bind_policy soft
>
> pam_check_host_attr yes
> pam_password md5
> nss_base_passwd ou=People,dc=example,dc=com
> nss_base_shadow ou=People,dc=example,dc=com?one
> nss_base_group ou=Groups,dc=example,dc=com?one
>
>
>
>
> On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu <[email protected]>wrote:
>
>> Ok here's what you suggested:
>>
>> r...@webtest111:/etc/pam.d# id tony
>>>
>>> id: tony: No such user
>>>
>> r...@webtest111:/etc/pam.d# getent passwd tony
>>> r...@webtest111:/etc/pam.d# getent passwd | grep tony
>>> tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash
>>> r...@webtest111:/etc/pam.d# /etc/init.d/nscd stop
>>> * Stopping Name Service Cache Daemon nscd
>>> [ OK ]
>>> r...@webtest111:/etc/pam.d# getent passwd | grep tony
>>> tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash
>>> r...@webtest111:/etc/pam.d# getent passwd tony
>>> r...@webtest111:/etc/pam.d#
>>>
>>
>> I'll start a reinstall of the other packages instead of libnss-ldap and
>> libpam-ldap.
>>
>> Thanks for the tips.
>>
>> Regards
>>
>>
>> On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne <[email protected]
>> > wrote:
>>
>>> On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote:
>>> > I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP
>>> server.
>>> > I've install the following:
>>> >
>>> > sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db
>>> > nscd ldap-utils pam_ccreds
>>> >
>>> > Here's my /etc/nsswitch.conf:
>>> >
>>> > passwd: files ldap [NOTFOUND=return] db
>>> >
>>> > > group: files ldap [NOTFOUND=return] db
>>> > >
>>> > > shadow: files ldap
>>> > >
>>> > > hosts: files dns
>>> > > networks: files
>>> > >
>>> > > protocols: db files
>>> > > services: db files
>>> > > ethers: db files
>>> > > rpc: db files
>>> >
>>> > I can nss_updatedb ldap succssfully:
>>> > # nss_updatedb ldap
>>> > passwd... done.
>>> > group... done.
>>> >
>>> > I can getent passwd, getent passwd shadow, getent group just fine and
>>> > they all show all my ldap users.
>>>
>>> Please compare these two:
>>>
>>> $ getent passwd |grep tony
>>> $ getent passwd tony
>>>
>>> If the first succeeds (returns a line looking like /etc/passwd), and the
>>> second fails (returns nothing), then you probably have a negative cache
>>> from
>>> nscd. Stop nscd, and test again.
>>>
>>> > However, I cannot do an id ldapuser
>>> >
>>> > ex:
>>> > $ id tony
>>> > id: tony: No such user
>>>
>>> [...]
>>>
>>> > ID works just fine with my local users on my local machine so somehow
>>> > it's not able to read the ldap users.
>>> >
>>> > Any insights appreciated.
>>>
>>> In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but one
>>> of
>>> the newer options (e.g. sssd) may be a better option.
>>>
>>> Regards,
>>> Buchan
>>>
>>
>>
>
