Some details I neglected to mention:
- Whether pam_encryptfs is installed/configured has no effect.
- My /etc/nsswitch.conf file is almost identical:
passwd: files ldap
group: files ldap
shadow: files ldap
+gshadow:files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc:db files
netgroup: nis
The gshadow line is additional on the bad host, but removing it (or
adding it to the good host) has no effect.
Differences in packages installed related to ldap:
root@goodhost:/etc/pam.d# apt search ldap | grep installed
auth-client-config/xenial,xenial,now 0.9ubuntu1 all [installed,automatic]
curl/xenial-updates,xenial-security,now 7.47.0-1ubuntu2.2 amd64 [installed]
+dovecot-ldap/xenial-updates,now 1:2.2.22-1ubuntu2.2 amd64 [installed]
ldap-auth-client/xenial,xenial,now 0.5.3 all [installed]
ldap-auth-config/xenial,xenial,now 0.5.3 all [installed]
ldap-utils/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
+libaprutil1-ldap/xenial,now 1.5.4-1build1 amd64 [installed,automatic]
+libcurl3/xenial-updates,xenial-security,now 7.47.0-1ubuntu2.2 amd64
[installed,automatic]
libcurl3-gnutls/xenial-updates,xenial-security,now 7.47.0-1ubuntu2.2
amd64 [installed]
libldap-2.4-2/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
libldb1/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed]
libnss-ldap/xenial,now 265-3ubuntu2 amd64 [installed]
libpam-ldap/xenial,now 184-8.7ubuntu1 amd64 [installed]
+libsasl2-modules-ldap/xenial,now 2.1.26.dfsg1-14build1 amd64 [installed]
+monit/xenial,now 1:5.16-2 amd64 [installed]
+php5-ldap/now 5.5.9+dfsg-1ubuntu4.20 amd64 [installed,local]
+postfix-ldap/xenial,now 3.1.0-3 amd64 [installed]
+python-ldap/xenial,now 2.4.22-0.1 amd64 [installed]
python-ldb/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed]
sudo/xenial-updates,now 1.8.16-0ubuntu1.2 amd64 [installed]
root@badhost:/etc/pam.d# apt search ldap | grep installed
auth-client-config/xenial,now 0.9ubuntu1 all [installed,automatic]
curl/xenial-security,xenial-updates,now 7.47.0-1ubuntu2.2 amd64
[installed,automatic]
ldap-auth-client/xenial,now 0.5.3 all [installed,automatic]
ldap-auth-config/xenial,now 0.5.3 all [installed,automatic]
ldap-utils/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
libcurl3-gnutls/xenial-security,xenial-updates,now 7.47.0-1ubuntu2.2
amd64 [installed,automatic]
libldap-2.4-2/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64
[installed,automatic]
libldb1/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed,automatic]
libnet-ldap-perl/xenial,now 1:0.6500+dfsg-1 all [installed,automatic]
libnss-ldap/xenial,now 265-3ubuntu2 amd64 [installed]
libpam-ldap/xenial,now 184-8.7ubuntu1 amd64 [installed]
libslp1/xenial,now 1.2.1-11 amd64 [installed,automatic]
python-ldb/xenial,now 2:1.1.24-1ubuntu3 amd64 [installed,automatic]
+slapd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
+slapd-smbk5pwd/xenial-updates,now 2.4.42+dfsg-2ubuntu3.1 amd64 [installed]
sudo/xenial-updates,now 1.8.16-0ubuntu1.2 amd64 [installed]
I toyed with the possibility that sasl might be the missing piece to no
avail. Frankly I hope it's not.
Cheers,
- Evan