-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Kevin- I have: auth sufficient pam_ldap.so use_first_pass in my common-auth file, but I don't use use_authtok and, atleast on this test box, doesnt' seem to matter.
I should add this to my docs... :) Tobias
Kevin Williams wrote:
| I think during my configuration with LDAP, nss, and Samba as a PDC, I | hit every conceivable snag:) | | The second login prompt was appearing due to my not fully reading the | pam_ldap man page:) | | Within my system-auth file for pam, I needed to add use_first_pass as an | option under ldap's authentication module and use_authtok as an option | for ldap's password module. These options, "Authenticate to the | directory by using the password that the user initially entered when | the user authenticated to the first authentication module in the | stack." | | I noticed that use_authtok option wasn't included in the man page, but | is included in everyone's docs. Does anyone know for sure whether this | affects the ldap password module? I was thinking of testing that out | this weekend... | | By not including this option, I was telling the system to re-prompt me | for the password. Duh... | | As an additional note, I found a LOT of how-to's on the web about this. | A document I referenced from padl's site (can't find it now) stated to | always list unix's module before ldap's. Not sure why that would | matter--many how to's had it swapped. | | Tobias, thanks for your document by the way. I started with your how-to | and continued to reference it throughout my learning process. | | One other question for any of you Samba experts out there. I came | across a bug that was mentioned a few times regarding the PDC | configuration. You have to set your computer accounts under people | instead of under a separate organizational unit (i.e. computers). | Anyone know why? | | Thanks, | | Kevin | | | | On Thu, 2004-07-29 at 09:34, Tobias Rice wrote: | | Kevin- | Cool! I'm glad to hear that you got it. What all, besides the kerb | flags, was wrong? Why were you having to log in twice? | I just pam/nss'd a system against M$'s active directory using SFU3.5. | Seems to be working just fine, believe it or not, using the map | commands. If you're interested, I'll send you the setup. | Tobias | | Kevin Williams wrote: | | | AH! I finally figured it out (Learned all about strace in the process:) | | ) | | | | As an FYI--if anyone out there is installing/using gentoo, and is | | thinking about kerberos, make sure you don't use both krb4 and kerberos | | (different distributors) in your use flags. The system gets confused as | | to which to use! | | | | Kevin | | | | On Sun, 2004-07-25 at 23:23, Kevin Williams wrote: | | | |>All, | |> | |>I'm hoping someone can point me in the right direction for solving this | |>issue. I'm trying to set up my NSS to use ldap via PAM (nss_ldap). From | |>all the docs, this should be a piece of cake. Not for me though! I'm | |>running on Gentoo Linux with OpenLdap 2.1.26 | |> | |>>From what I've read, I have to configure the following files: | |>1. /etc/ldap.conf | |>2. /etc/nsswitch.conf | |>3. /etc/pam.d/system-auth | |> | |>Here's what I put in each file: | |>ldap.conf: | |> | |>host 127.0.0.1 | |>base dc=tarity,dc=com | |>binddn cn=Manager,dc=tarity,dc=com | |>bindpw PASSWORD | |>pam_password exop | |>scope sub | |>nss_base_passwd ou=People,dc=tarity,dc=com | |>nss_base_shadow ou=People,dc=tarity,dc=com | |>nss_base_group ou=Group,dc=tarity,dc=com | |> | |>nsswitch.conf: | |>(modified these three lines) | |>passwd: files ldap | |>shadow: files ldap | |>group: files ldap | |>... | |> | |>etc/pam.d/system-auth (added the following lines) | |>auth sufficient /lib/security/pam_ldap.so | |>account sufficient /lib/security/pam_ldap.so | |>password sufficient /ib/security/pam_ldap.so use_first_pass use_authtok | |>session sufficient /lib/security/pam_ldap.so | |> | |>I've populated the LDAP database to be used as a windows domain | controller, | |>so I should have Domain and Administrator entries in the LDAP Database and | |>NOT in the group or passwd files. Testing the system, I SHOULD get | results | |>returned when I use this command: | |>getent group | grep Domain | |>getent passwd | grep Administrator | |> | |>I'm pretty sure it's a config issue since I don't have anything showing up | |>in my ldap log file. I don't have any log messages of the command at all | |>(which is why I'm now stumped)! Does anyone see a configuration error | that | |>I might have, or have any advice for troubleshooting this issue? | |> | |>On a side note...I now get 2 password fields whenever I su. | |>$su | |>Password: | |>Password: | |> | |>Would this be trying to authenticate via ldap, and then unix? I'm | guessing | |>this is due to a configuration change. When I make these changes, do | I need | |>to restart a daemon? | |> | |>Thanks! | |> | |>Kevin Williams | |> | |> | |>_______________________________________________ | |>PDXLUG mailing list | |>[EMAIL PROTECTED] | |>http://pdxlug.org/mailman/listinfo/pdxlug | | | | _______________________________________________ | | PDXLUG mailing list | | [EMAIL PROTECTED] | | http://pdxlug.org/mailman/listinfo/pdxlug | _______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
| _______________________________________________ | PDXLUG mailing list | [EMAIL PROTECTED] | http://pdxlug.org/mailman/listinfo/pdxlug
- -- - --------------------------------------------------- ~ L I N U X .~. ~ The Choice /V\ ~ of a GNU /( )\ ~ Generation ^^-^^ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD4DBQFBCUkr8SyNUqEG5J0RAlPvAJjG7Qltzcjw5So3RtleTJ5bpq8CAKCpKq4o SimS8+i/RDAl1OU/Q7NY3w== =ckxY -----END PGP SIGNATURE----- _______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
