subject:"Re\: kde\/kdm \+ nsswitch \+ ldap = nologon"

Re: kde/kdm + nsswitch + ldap = nologon

2009-03-08 Thread Joe Kraft


> 
> I'd like to duplicate your setup none-the-less to learn.  Can you provide
> all the pam files, showconfig for the openldap and kdm-related port so I
> can run with the same port?
> 
> gdm offers pam integration by the description.  I'd be looking at options
> in pam, and making sure the console logins work off pam too to make the
> comparison to apples to apples the same.
> 
> Please give me the showconfig from the items above.

Was going to send as an e-mail to keep the gigantic post off the list, but
my mailer went stupid this morning...

OK...we'll start with the server.  Note that while I'm using the SASL
portion of the port, I'm not using any of the SASL type functionality yet.

Just incase you missed the part from the original post... I ran into a bug
report from last summer that appears to still be open with exactly the same
issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321).  I get the same
error messages and such, with any luck it's based on misconfiguration of
something.

I hope all of this helps.
Joe.




>From the ldap server:
shadow# uname -a
FreeBSD shadow.casa.local 6.3-STABLE FreeBSD 6.3-STABLE #1: Sat Apr  5
14:49:53 EDT 2008 j...@shadow.casa.local:/usr/obj/usr/src/sys/GENERIC  i386

shadow# pkg_info |grep ldap
nss_ldap-1.257  RFC 2307 NSS module
openldap-sasl-client-2.4.11 Open source LDAP client implementation with
SASL2 support
openldap-sasl-server-2.4.11_2 Open source LDAP server implementation
pam_ldap-1.8.4  A pam module for authenticating with LDAP

shadow# cd /usr/ports/net/openldap24-server
shadow# make showconfig
===> The following configuration options are available for
openldap-sasl-server-2.4.11_2:
 SASL=on "With (Cyrus) SASL2 support"
 DNSSRV=off "With Dnssrv backend"
 PASSWD=off "With Passwd backend"
 PERL=off "With Perl backend"
 RELAY=off "With Relay backend"
 SHELL=off "With Shell backend (disables threading)"
 SOCK=off "With Sock backend"
 ODBC=off "With SQL backend"
 RLOOKUPS=off "With reverse lookups of client hostnames"
 SLP=off "With SLPv2 (RFC 2608) support"
 SLAPI=off "With Netscape SLAPI plugin API"
 TCP_WRAPPERS=on "With tcp wrapper support"
 BDB=on "With BerkeleyDB support"
 ACCESSLOG=off "With In-Directory Access Logging overlay"
 AUDITLOG=off "With Audit Logging overlay"
 CONSTRAINT=off "With Attribute Constraint overlay"
 DDS=off "Dynamic Directory Services overlay"
 DENYOP=off "With Deny Operation overlay"
 DYNGROUP=off "With Dynamic Group overlay"
 DYNLIST=off "With Dynamic List overlay"
 LASTMOD=off "With Last Modification overlay"
 MEMBEROF=off "With Reverse Group Membership overlay"
 PPOLICY=off "With Password Policy overlay"
 PROXYCACHE=off "With Proxy Cache overlay"
 REFINT=off "With Referential Integrity overlay"
 RETCODE=off "With Return Code testing overlay"
 RWM=off "With Rewrite/Remap overlay"
 SEQMOD=on "Sequential Modify overlay"
 SYNCPROV=on "With Syncrepl Provider overlay"
 TRANSLUCENT=off "With Translucent Proxy overlay"
 UNIQUE=off "With attribute Uniqueness overlay"
 VALSORT=off "With Value Sorting overlay"
 SMBPWD=off "With Samba Password hashes overlay"
 DYNAMIC_BACKENDS=on "Build dynamic backends"
===> Use 'make config' to modify these settings

shadow# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/samba.schema

pidfile /var/run/openldap/slapd.pid
argsfile/var/run/openldap/slapd.args

# Load dynamic backend modules:
modulepath  /usr/local/libexec/openldap
moduleload  back_bdb


###
###
## BDB database definitions
###
###

## main part ##
databasebdb
directory   /var/db/openldap-data
suffix dc=casa,dc=local
rootdn cn=Manager,dc=casa,dc=local
rootpw {crypt}PasswordGoesHere

 access control #

access to * by * write

# users can authenticate and change their password
access to
attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange,shadowMax
   by dn="cn=samba,ou=DSA,dc=casa,dc=local" write
   by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write
   by dn="cn=nssldap,ou=DSA,dc=casa,dc=local" write
   by self write
   by anonymous auth
   by * none

# some attributes need to be readable anonymously so that 'id user' can
answer corre

Re: kde/kdm + nsswitch + ldap = nologon

2009-03-07 Thread Tim Judd

On Sat, Mar 7, 2009 at 4:10 PM, Joe Kraft  wrote:

> Tim Judd wrote:
>
> > On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft 
> wrote:
> >
> >> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend.  The
> >> intent is to use ldap directly for FBSD clients and Samba for MS Windows
> >> clients.
> >>
> >> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is
> >> setup and seems to be working fine, I can log in locally or through SSH
> >> using the ldap accounts.
> >>
> >> I'm working on the first client which is a FBSD 7.1 machine.  I can use
> >> ldap to login on this machine, but I'm having issues with logging in
> >> using
> >> kdm.  I can see all the users both from local files and from ldap, but I
> >> can't log in using either.  Even when kdm won't allow a login, I can
> >>  and get a normal login shell and login with local or
> ldap
> >> accounts.  The ldap lines are included in my /etc/pam.d/kde file.
> >>
> >> If I remove ldap from the nsswitch.conf file it will start working with
> >> local logins on kdm again.
> >>
> >> I ran into a bug report from last summer that appears to still be open
> >> with exactly the same issue
> >> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 ).
> >>
> >> Does anyone know a workaround or have a patch for the issue?  I can
> >> provide config files and such if anyone thinks it might help.
> >>
> >> Thanks,
> >> Joe.
> >>
> >
> >
> > True SSO is accomplished by Kerberos.  Your LDAP implementation is
> > re-authenticating/re-authorizing on every service.
> >
> > I'm by NO means an expert with pam -- it confuses me, but there are some
> > basic concepts that I think  there might be missing in your setup.
> >
> > First question I've got is shouldn't you need to create the rules for kdm
> > in a file called 'kdm' in pam?
> >
> > Second is that some options/arguments that pam can use such as
> > USE_FIRST_PASS would probably help you here.
> >
> > Third is whether the sufficient/required column in the pam file is there.
> >
> > Now we have to deal weather kdm uses pam or nsswitch.  And if it uses
> > nsswitch, then we have to go through all that troubleshooting all over
> > again.  Or maybe it doesn't even have any concept to use alternate auth
> > mechanisms other than just the local files...
> >
> >
> >
> > I'm only providing an insight to something your eyes may have overlooked.
> >
> > I hope this triggers something to get it working.  G'luck
>
>
> Thanks for the thoughts, I had Kerberos set up once when I was going the
> other way...with all clients working through an AD domain.  I'm trying to
> go the other way now and get everything working through a Samba Domain.  I
> might look into it again in the future once I get the basics working.
>
> I thought maybe I had it when you mentioned creating rules for kdm instead
> of kde in pam.  Unfortunately it didn't work.
>
> kdm seems to use nsswitch to get the names, because if I use the
> line "passwd: files ldap" in nsswitch.conf kdm shows me all the ldap users
> as well as the local users with their icons down the left side of the login
> window.  I just can't use them to login, no matter what I do it tells me my
> password is invalid.  I can't even get it to login with a local account
> from 'files'.  What I can do is drop to one of the other ttys and use an
> accounts with the same password that failed in kdm to login.  I'm using the
> same pam file for login as I am for kde (and now kdm).
>
> All I have to do is change the line to "passwd: files" and I can login
> again
> with the local accounts through kdm again.
>
> Certainly doesn't make sense to me right now...
>
> Joe.
>

I'd like to duplicate your setup none-the-less to learn.  Can you provide
all the pam files, showconfig for the openldap and kdm-related port so I can
run with the same port?

I use gnome at the moment, so here's what I did..
$ pkg_info  -W gdm
/usr/local/sbin/gdm was installed by package gdm-2.20.8
$ pkg_info -qo gdm-2.20.8
x11/gdm
$ cd /usr/ports/x11/gdm
$ make showconfig
===> The following configuration options are available for gdm-2.20.8:
 IPV6=off (default) "Enable IPv6 support"
 KEYRING=on (default) "Enable GnomeKeyring/PAM integration"
 LOG_LIMIT=on (default) "Limit ~/.xsession-errors size"
===> Use 'make config' to modify these settings


gdm offers pam integration by the description.  I'd be looking at options in
pam, and making sure the console logins work off pam too to make the
comparison to apples to apples the same.

Please give me the showconfig from the items above.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: kde/kdm + nsswitch + ldap = nologon

2009-03-07 Thread Joe Kraft

Tim Judd wrote:

> On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft  wrote:
> 
>> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend.  The
>> intent is to use ldap directly for FBSD clients and Samba for MS Windows
>> clients.
>>
>> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is
>> setup and seems to be working fine, I can log in locally or through SSH
>> using the ldap accounts.
>>
>> I'm working on the first client which is a FBSD 7.1 machine.  I can use
>> ldap to login on this machine, but I'm having issues with logging in
>> using
>> kdm.  I can see all the users both from local files and from ldap, but I
>> can't log in using either.  Even when kdm won't allow a login, I can
>>  and get a normal login shell and login with local or ldap
>> accounts.  The ldap lines are included in my /etc/pam.d/kde file.
>>
>> If I remove ldap from the nsswitch.conf file it will start working with
>> local logins on kdm again.
>>
>> I ran into a bug report from last summer that appears to still be open
>> with exactly the same issue
>> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 ).
>>
>> Does anyone know a workaround or have a patch for the issue?  I can
>> provide config files and such if anyone thinks it might help.
>>
>> Thanks,
>> Joe.
>>
> 
> 
> True SSO is accomplished by Kerberos.  Your LDAP implementation is
> re-authenticating/re-authorizing on every service.
> 
> I'm by NO means an expert with pam -- it confuses me, but there are some
> basic concepts that I think  there might be missing in your setup.
> 
> First question I've got is shouldn't you need to create the rules for kdm
> in a file called 'kdm' in pam?
> 
> Second is that some options/arguments that pam can use such as
> USE_FIRST_PASS would probably help you here.
> 
> Third is whether the sufficient/required column in the pam file is there.
> 
> Now we have to deal weather kdm uses pam or nsswitch.  And if it uses
> nsswitch, then we have to go through all that troubleshooting all over
> again.  Or maybe it doesn't even have any concept to use alternate auth
> mechanisms other than just the local files...
> 
> 
> 
> I'm only providing an insight to something your eyes may have overlooked.
> 
> I hope this triggers something to get it working.  G'luck

Thanks for the thoughts, I had Kerberos set up once when I was going the
other way...with all clients working through an AD domain.  I'm trying to
go the other way now and get everything working through a Samba Domain.  I
might look into it again in the future once I get the basics working.

I thought maybe I had it when you mentioned creating rules for kdm instead
of kde in pam.  Unfortunately it didn't work.

kdm seems to use nsswitch to get the names, because if I use the
line "passwd: files ldap" in nsswitch.conf kdm shows me all the ldap users
as well as the local users with their icons down the left side of the login
window.  I just can't use them to login, no matter what I do it tells me my
password is invalid.  I can't even get it to login with a local account
from 'files'.  What I can do is drop to one of the other ttys and use an
accounts with the same password that failed in kdm to login.  I'm using the
same pam file for login as I am for kde (and now kdm).

All I have to do is change the line to "passwd: files" and I can login again
with the local accounts through kdm again.

Certainly doesn't make sense to me right now...

Joe.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: kde/kdm + nsswitch + ldap = nologon

2009-03-07 Thread Tim Judd

On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft  wrote:

> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend.  The
> intent is to use ldap directly for FBSD clients and Samba for MS Windows
> clients.
>
> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is
> setup and seems to be working fine, I can log in locally or through SSH
> using the ldap accounts.
>
> I'm working on the first client which is a FBSD 7.1 machine.  I can use
> ldap to login on this machine, but I'm having issues with logging in using
> kdm.  I can see all the users both from local files and from ldap, but I
> can't log in using either.  Even when kdm won't allow a login, I can
>  and get a normal login shell and login with local or ldap
> accounts.  The ldap lines are included in my /etc/pam.d/kde file.
>
> If I remove ldap from the nsswitch.conf file it will start working with
> local logins on kdm again.
>
> I ran into a bug report from last summer that appears to still be open with
> exactly the same issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321
> ).
>
> Does anyone know a workaround or have a patch for the issue?  I can provide
> config files and such if anyone thinks it might help.
>
> Thanks,
> Joe.
>

True SSO is accomplished by Kerberos.  Your LDAP implementation is
re-authenticating/re-authorizing on every service.

I'm by NO means an expert with pam -- it confuses me, but there are some
basic concepts that I think  there might be missing in your setup.

First question I've got is shouldn't you need to create the rules for kdm in
a file called 'kdm' in pam?

Second is that some options/arguments that pam can use such as
USE_FIRST_PASS would probably help you here.

Third is whether the sufficient/required column in the pam file is there.

Now we have to deal weather kdm uses pam or nsswitch.  And if it uses
nsswitch, then we have to go through all that troubleshooting all over
again.  Or maybe it doesn't even have any concept to use alternate auth
mechanisms other than just the local files...

I'm only providing an insight to something your eyes may have overlooked.

I hope this triggers something to get it working.  G'luck
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: kde/kdm + nsswitch + ldap = nologon

2009-03-07 Thread Joe Kraft

I guess it's probably worth mentioning that I'm working with KDE 3.5.10
right now.  Is this something likely solved in KDE 4.2 so I've hit my
reason to upgrade?

Joe.

Joe Kraft wrote:

> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend.  The
> intent is to use ldap directly for FBSD clients and Samba for MS Windows
> clients.
> 
> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is
> setup and seems to be working fine, I can log in locally or through SSH
> using the ldap accounts.
> 
> I'm working on the first client which is a FBSD 7.1 machine.  I can use
> ldap to login on this machine, but I'm having issues with logging in
> using kdm.  I can see all the users both from local files and from ldap,
> but I can't log in using either.  Even when kdm won't allow a login, I
> can  and get a normal login shell and login with local or
> ldap accounts.  The ldap lines are included in my /etc/pam.d/kde file.
> 
> If I remove ldap from the nsswitch.conf file it will start working with
> local logins on kdm again.
> 
> I ran into a bug report from last summer that appears to still be open
> with exactly the same issue
> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321).
> 
> Does anyone know a workaround or have a patch for the issue?  I can
> provide config files and such if anyone thinks it might help.
> 
> Thanks,
> Joe.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: kde/kdm + nsswitch + ldap = nologon

Re: kde/kdm + nsswitch + ldap = nologon

Re: kde/kdm + nsswitch + ldap = nologon

Re: kde/kdm + nsswitch + ldap = nologon

Re: kde/kdm + nsswitch + ldap = nologon

5 matches

Site Navigation

Mail list logo

Footer information