[Bug 456985] Re: account configuration not working
Right - as I said, it was a configuration error. :) Closing the report. ** Changed in: libnss-ldap (Ubuntu) Status: Confirmed = Invalid -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 456985] Re: account configuration not working
Steve, Would you agree to adding the broken_shadow option to pam_unix in the account mode? The use case here is a laptop that normally authenticates with kerberos and gets it's NSS from LDAP, including the shadow map, even though it's not really used in this situation (due to the use of kerberos). This all works fine when the laptop is connected to the network. But take it away from the network where it depends on pam-ccreds to cache the kerberos authentication tokens (works just fine) and nscd to cache the passwd/group entries that were used while connected to the network, there is no shadow entry available for nscd cached passwd entries and thus, pam_unix's account mode breaks. -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 456985] Re: account configuration not working
Would you agree to adding the broken_shadow option to pam_unix in the account mode? No, I would not. It's a configuration error to have a password record with an x without a corresponding shadow entry, and we shouldn't ignore such configuration errors by default. -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
Re: [Bug 456985] Re: account configuration not working
On Sat, 2009-10-24 at 06:56 +, Steve Langasek wrote: No, I would not. ~sigh~ It's a configuration error to have a password record with an x without a corresponding shadow entry, and we shouldn't ignore such configuration errors by default. It's not a configuration error when the information being used is cached because the machine is away from the network where the configuration information is normally available. You are being way too rigid here and excluding perfectly valid use-cases because they don't exactly fit the original design model. i.e. rules for the sake of rules rather than because they actually make sense. You know this sort of thing drives me nuts. Perfection is the enemy of progress and success. I admit to being a perfectionist and yet I still know that perfection is not always necessary and in many cases actually stifles what would otherwise be considered success. Perfection is responsible for throwing away many otherwise successful products because it's simply unreasonable to try to make it absolutely perfect -- which in most cases doesn't have any real world impact anyway. -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 456985] Re: account configuration not working
Steve, You can close this. i have figured out how to make my LDAP passwd map behave. For anyone following along or who may find this in their travels, you will want to remove the shadowAccount object class from any ldap entries which represent users that should be authenticated by Kerberos -- or should otherwise not have shadow map entries (and the corresponding x in the password field of the passwd map) for whatever reason. Once the shadowAccount object class is removed, the passwd entries will have a * in the password field and there will be no shadow entry for them returned by nss_ldap. -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 456985] Re: account configuration not working
** Changed in: libnss-ldap (Ubuntu) Status: New = Confirmed ** Changed in: libnss-ldap (Ubuntu) Importance: Undecided = Low -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 456985] Re: account configuration not working
Chuck: your New-Confirmed seems to contradict Steve's assessment, yes? I can see Steve's point, so I raised the issue on the nssldap list at PADL but didn't really get anything meaningful back. It would appear that nobody is listening there or there is no solution to this problem. I.e. to this point at least, it does not appear that one can disable the shadow map and thusly stop nssldap from returning a x in the password field. But at the same time, neither does it make any sense to me to provide/require a shadow map from LDAP when LDAP shadow authentication is not even being used for a given user (i.e. using kerberos). IOW, I should be able to configure nsswitch.conf with: shadow: files and not have pam_unix barf. -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 456985] Re: account configuration not working
Sorry, but this is a libnss-ldap bug or a bug in your configuration. The pam_unix module checks the password field returned getpwnam() for the value 'x', and if found, consults the shadow database. If libnss- ldap isn't going to make the shadow database available, then it shouldn't refer callers there by returning this 'x' value. pam_unix is working as intended when it refuses access for a user configured this way. ** Package changed: pam (Ubuntu) = libnss-ldap (Ubuntu) -- account configuration not working https://bugs.launchpad.net/bugs/456985 You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to libnss-ldap in ubuntu. -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs