Re: kde/kdm + nsswitch + ldap = nologon
> > I'd like to duplicate your setup none-the-less to learn. Can you provide > all the pam files, showconfig for the openldap and kdm-related port so I > can run with the same port? > > gdm offers pam integration by the description. I'd be looking at options > in pam, and making sure the console logins work off pam too to make the > comparison to apples to apples the same. > > Please give me the showconfig from the items above. Was going to send as an e-mail to keep the gigantic post off the list, but my mailer went stupid this morning... OK...we'll start with the server. Note that while I'm using the SASL portion of the port, I'm not using any of the SASL type functionality yet. Just incase you missed the part from the original post... I ran into a bug report from last summer that appears to still be open with exactly the same issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321). I get the same error messages and such, with any luck it's based on misconfiguration of something. I hope all of this helps. Joe. >From the ldap server: shadow# uname -a FreeBSD shadow.casa.local 6.3-STABLE FreeBSD 6.3-STABLE #1: Sat Apr 5 14:49:53 EDT 2008 j...@shadow.casa.local:/usr/obj/usr/src/sys/GENERIC i386 shadow# pkg_info |grep ldap nss_ldap-1.257 RFC 2307 NSS module openldap-sasl-client-2.4.11 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.11_2 Open source LDAP server implementation pam_ldap-1.8.4 A pam module for authenticating with LDAP shadow# cd /usr/ports/net/openldap24-server shadow# make showconfig ===> The following configuration options are available for openldap-sasl-server-2.4.11_2: SASL=on "With (Cyrus) SASL2 support" DNSSRV=off "With Dnssrv backend" PASSWD=off "With Passwd backend" PERL=off "With Perl backend" RELAY=off "With Relay backend" SHELL=off "With Shell backend (disables threading)" SOCK=off "With Sock backend" ODBC=off "With SQL backend" RLOOKUPS=off "With reverse lookups of client hostnames" SLP=off "With SLPv2 (RFC 2608) support" SLAPI=off "With Netscape SLAPI plugin API" TCP_WRAPPERS=on "With tcp wrapper support" BDB=on "With BerkeleyDB support" ACCESSLOG=off "With In-Directory Access Logging overlay" AUDITLOG=off "With Audit Logging overlay" CONSTRAINT=off "With Attribute Constraint overlay" DDS=off "Dynamic Directory Services overlay" DENYOP=off "With Deny Operation overlay" DYNGROUP=off "With Dynamic Group overlay" DYNLIST=off "With Dynamic List overlay" LASTMOD=off "With Last Modification overlay" MEMBEROF=off "With Reverse Group Membership overlay" PPOLICY=off "With Password Policy overlay" PROXYCACHE=off "With Proxy Cache overlay" REFINT=off "With Referential Integrity overlay" RETCODE=off "With Return Code testing overlay" RWM=off "With Rewrite/Remap overlay" SEQMOD=on "Sequential Modify overlay" SYNCPROV=on "With Syncrepl Provider overlay" TRANSLUCENT=off "With Translucent Proxy overlay" UNIQUE=off "With attribute Uniqueness overlay" VALSORT=off "With Value Sorting overlay" SMBPWD=off "With Samba Password hashes overlay" DYNAMIC_BACKENDS=on "Build dynamic backends" ===> Use 'make config' to modify these settings shadow# cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile/var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb ### ### ## BDB database definitions ### ### ## main part ## databasebdb directory /var/db/openldap-data suffix dc=casa,dc=local rootdn cn=Manager,dc=casa,dc=local rootpw {crypt}PasswordGoesHere access control # access to * by * write # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange,shadowMax by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by dn="cn=nssldap,ou=DSA,dc=casa,dc=local" write by self write by anonymous auth by * none # some attributes need to be readable anonymously so that 'id user' can answer corre
Re: kde/kdm + nsswitch + ldap = nologon
On Sat, Mar 7, 2009 at 4:10 PM, Joe Kraft wrote: > Tim Judd wrote: > > > On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft > wrote: > > > >> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The > >> intent is to use ldap directly for FBSD clients and Samba for MS Windows > >> clients. > >> > >> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is > >> setup and seems to be working fine, I can log in locally or through SSH > >> using the ldap accounts. > >> > >> I'm working on the first client which is a FBSD 7.1 machine. I can use > >> ldap to login on this machine, but I'm having issues with logging in > >> using > >> kdm. I can see all the users both from local files and from ldap, but I > >> can't log in using either. Even when kdm won't allow a login, I can > >> and get a normal login shell and login with local or > ldap > >> accounts. The ldap lines are included in my /etc/pam.d/kde file. > >> > >> If I remove ldap from the nsswitch.conf file it will start working with > >> local logins on kdm again. > >> > >> I ran into a bug report from last summer that appears to still be open > >> with exactly the same issue > >> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 ). > >> > >> Does anyone know a workaround or have a patch for the issue? I can > >> provide config files and such if anyone thinks it might help. > >> > >> Thanks, > >> Joe. > >> > > > > > > True SSO is accomplished by Kerberos. Your LDAP implementation is > > re-authenticating/re-authorizing on every service. > > > > I'm by NO means an expert with pam -- it confuses me, but there are some > > basic concepts that I think there might be missing in your setup. > > > > First question I've got is shouldn't you need to create the rules for kdm > > in a file called 'kdm' in pam? > > > > Second is that some options/arguments that pam can use such as > > USE_FIRST_PASS would probably help you here. > > > > Third is whether the sufficient/required column in the pam file is there. > > > > Now we have to deal weather kdm uses pam or nsswitch. And if it uses > > nsswitch, then we have to go through all that troubleshooting all over > > again. Or maybe it doesn't even have any concept to use alternate auth > > mechanisms other than just the local files... > > > > > > > > I'm only providing an insight to something your eyes may have overlooked. > > > > I hope this triggers something to get it working. G'luck > > > Thanks for the thoughts, I had Kerberos set up once when I was going the > other way...with all clients working through an AD domain. I'm trying to > go the other way now and get everything working through a Samba Domain. I > might look into it again in the future once I get the basics working. > > I thought maybe I had it when you mentioned creating rules for kdm instead > of kde in pam. Unfortunately it didn't work. > > kdm seems to use nsswitch to get the names, because if I use the > line "passwd: files ldap" in nsswitch.conf kdm shows me all the ldap users > as well as the local users with their icons down the left side of the login > window. I just can't use them to login, no matter what I do it tells me my > password is invalid. I can't even get it to login with a local account > from 'files'. What I can do is drop to one of the other ttys and use an > accounts with the same password that failed in kdm to login. I'm using the > same pam file for login as I am for kde (and now kdm). > > All I have to do is change the line to "passwd: files" and I can login > again > with the local accounts through kdm again. > > Certainly doesn't make sense to me right now... > > Joe. > I'd like to duplicate your setup none-the-less to learn. Can you provide all the pam files, showconfig for the openldap and kdm-related port so I can run with the same port? I use gnome at the moment, so here's what I did.. $ pkg_info -W gdm /usr/local/sbin/gdm was installed by package gdm-2.20.8 $ pkg_info -qo gdm-2.20.8 x11/gdm $ cd /usr/ports/x11/gdm $ make showconfig ===> The following configuration options are available for gdm-2.20.8: IPV6=off (default) "Enable IPv6 support" KEYRING=on (default) "Enable GnomeKeyring/PAM integration" LOG_LIMIT=on (default) "Limit ~/.xsession-errors size" ===> Use 'make config' to modify these settings gdm offers pam integration by the description. I'd be looking at options in pam, and making sure the console logins work off pam too to make the comparison to apples to apples the same. Please give me the showconfig from the items above. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: kde/kdm + nsswitch + ldap = nologon
Tim Judd wrote: > On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft wrote: > >> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The >> intent is to use ldap directly for FBSD clients and Samba for MS Windows >> clients. >> >> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is >> setup and seems to be working fine, I can log in locally or through SSH >> using the ldap accounts. >> >> I'm working on the first client which is a FBSD 7.1 machine. I can use >> ldap to login on this machine, but I'm having issues with logging in >> using >> kdm. I can see all the users both from local files and from ldap, but I >> can't log in using either. Even when kdm won't allow a login, I can >> and get a normal login shell and login with local or ldap >> accounts. The ldap lines are included in my /etc/pam.d/kde file. >> >> If I remove ldap from the nsswitch.conf file it will start working with >> local logins on kdm again. >> >> I ran into a bug report from last summer that appears to still be open >> with exactly the same issue >> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 ). >> >> Does anyone know a workaround or have a patch for the issue? I can >> provide config files and such if anyone thinks it might help. >> >> Thanks, >> Joe. >> > > > True SSO is accomplished by Kerberos. Your LDAP implementation is > re-authenticating/re-authorizing on every service. > > I'm by NO means an expert with pam -- it confuses me, but there are some > basic concepts that I think there might be missing in your setup. > > First question I've got is shouldn't you need to create the rules for kdm > in a file called 'kdm' in pam? > > Second is that some options/arguments that pam can use such as > USE_FIRST_PASS would probably help you here. > > Third is whether the sufficient/required column in the pam file is there. > > Now we have to deal weather kdm uses pam or nsswitch. And if it uses > nsswitch, then we have to go through all that troubleshooting all over > again. Or maybe it doesn't even have any concept to use alternate auth > mechanisms other than just the local files... > > > > I'm only providing an insight to something your eyes may have overlooked. > > I hope this triggers something to get it working. G'luck Thanks for the thoughts, I had Kerberos set up once when I was going the other way...with all clients working through an AD domain. I'm trying to go the other way now and get everything working through a Samba Domain. I might look into it again in the future once I get the basics working. I thought maybe I had it when you mentioned creating rules for kdm instead of kde in pam. Unfortunately it didn't work. kdm seems to use nsswitch to get the names, because if I use the line "passwd: files ldap" in nsswitch.conf kdm shows me all the ldap users as well as the local users with their icons down the left side of the login window. I just can't use them to login, no matter what I do it tells me my password is invalid. I can't even get it to login with a local account from 'files'. What I can do is drop to one of the other ttys and use an accounts with the same password that failed in kdm to login. I'm using the same pam file for login as I am for kde (and now kdm). All I have to do is change the line to "passwd: files" and I can login again with the local accounts through kdm again. Certainly doesn't make sense to me right now... Joe. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: kde/kdm + nsswitch + ldap = nologon
On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft wrote: > I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The > intent is to use ldap directly for FBSD clients and Samba for MS Windows > clients. > > The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is > setup and seems to be working fine, I can log in locally or through SSH > using the ldap accounts. > > I'm working on the first client which is a FBSD 7.1 machine. I can use > ldap to login on this machine, but I'm having issues with logging in using > kdm. I can see all the users both from local files and from ldap, but I > can't log in using either. Even when kdm won't allow a login, I can > and get a normal login shell and login with local or ldap > accounts. The ldap lines are included in my /etc/pam.d/kde file. > > If I remove ldap from the nsswitch.conf file it will start working with > local logins on kdm again. > > I ran into a bug report from last summer that appears to still be open with > exactly the same issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 > ). > > Does anyone know a workaround or have a patch for the issue? I can provide > config files and such if anyone thinks it might help. > > Thanks, > Joe. > True SSO is accomplished by Kerberos. Your LDAP implementation is re-authenticating/re-authorizing on every service. I'm by NO means an expert with pam -- it confuses me, but there are some basic concepts that I think there might be missing in your setup. First question I've got is shouldn't you need to create the rules for kdm in a file called 'kdm' in pam? Second is that some options/arguments that pam can use such as USE_FIRST_PASS would probably help you here. Third is whether the sufficient/required column in the pam file is there. Now we have to deal weather kdm uses pam or nsswitch. And if it uses nsswitch, then we have to go through all that troubleshooting all over again. Or maybe it doesn't even have any concept to use alternate auth mechanisms other than just the local files... I'm only providing an insight to something your eyes may have overlooked. I hope this triggers something to get it working. G'luck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: kde/kdm + nsswitch + ldap = nologon
I guess it's probably worth mentioning that I'm working with KDE 3.5.10 right now. Is this something likely solved in KDE 4.2 so I've hit my reason to upgrade? Joe. Joe Kraft wrote: > I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The > intent is to use ldap directly for FBSD clients and Samba for MS Windows > clients. > > The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is > setup and seems to be working fine, I can log in locally or through SSH > using the ldap accounts. > > I'm working on the first client which is a FBSD 7.1 machine. I can use > ldap to login on this machine, but I'm having issues with logging in > using kdm. I can see all the users both from local files and from ldap, > but I can't log in using either. Even when kdm won't allow a login, I > can and get a normal login shell and login with local or > ldap accounts. The ldap lines are included in my /etc/pam.d/kde file. > > If I remove ldap from the nsswitch.conf file it will start working with > local logins on kdm again. > > I ran into a bug report from last summer that appears to still be open > with exactly the same issue > (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321). > > Does anyone know a workaround or have a patch for the issue? I can > provide config files and such if anyone thinks it might help. > > Thanks, > Joe. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"