* [gentoo-user] nss_updatedb && pam_ccreds
@ 2010-07-29 16:50 Giampiero Gabbiani
2010-07-30 11:50 ` Vincent-Xavier JUMEL
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Giampiero Gabbiani @ 2010-07-29 16:50 UTC (permalink / raw
To: gentoo-user
Hi all,
I configured nss & pam in order to make LDAP authentication. In order to
have a proper authentication and attributes retrieving I added also ccreds
and nss_updatedb modifying /etc/pam.d/system-auth for the first and
/etc/nsswithch for both:
/etc/pam.d/system-auth:
auth [success=done default=ignore] pam_unix.so
nullok_secure try_first_pass debug
auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
use_first_pass
auth [default=done]
pam_ccreds.so action=validate use_first_pass
auth [default=done]
pam_ccreds.so action=store
auth [default=bad]
pam_ccreds.so action=update
account [user_unknown=ignore authinfo_unavail=ignore default=done]
pam_unix.so debug
account [user_unknown=ignore authinfo_unavail=ignore default=done]
pam_ldap.so debug
account required
pam_permit.so
password required pam_cracklib.so difok=2 minlen=8 dcredit=2
ocredit=2 try_first_pass retry=3
password sufficient pam_unix.so try_first_pass use_authtok
nullok md5 shadow
password sufficient pam_ldap.so use_authtok use_first_pass
password required pam_deny.so
session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
session required pam_limits.so
session required pam_env.so
session required pam_unix.so
session optional pam_permit.so
session optional pam_ldap.so
# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v
1.1 2006/09/29 23:52:23 vapier Exp $
passwd: files ldap [NOTFOUND=return] db
shadow: files ldap
group: files ldap [NOTFOUND=return] db
#passwd: files ldap
#shadow: files ldap
#group: files ldap
# passwd: db files nis
# shadow: db files nis
# group: db files nis
hosts: files dns
networks: files dns
services: db files
protocols: db files
rpc: db files
ethers: db files
netmasks: files
netgroup: files ldap
bootparams: files
automount: files ldap
aliases: files
sudoers: ldap files
the problem is that, when the connection to the ldap server is down, I can't
login:
Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user
unknown
Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication
failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't
contact LDAP server
Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server
ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server
Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server
- Server is unavailable
Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR
`UNKNOWN', User not known to the underlying authentication module
from the last line above it seems like the credentials were not cached or the
nss switch doesn't use the db service for the passwd and shadow database.
Is there someone that has a working configuration in order to have the
cached credentials systems working properly ?
Regards
Giampiero
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] nss_updatedb && pam_ccreds
2010-07-29 16:50 [gentoo-user] nss_updatedb && pam_ccreds Giampiero Gabbiani
@ 2010-07-30 11:50 ` Vincent-Xavier JUMEL
2010-08-03 19:31 ` Daniel Troeder
2010-08-22 13:51 ` [gentoo-user] SOLVED: " Giampiero Gabbiani
2 siblings, 0 replies; 4+ messages in thread
From: Vincent-Xavier JUMEL @ 2010-07-30 11:50 UTC (permalink / raw
To: gentoo-user
Le 29 juillet à 18:50 Giampiero Gabbiani a écrit
> Hi all,
> I configured nss & pam in order to make LDAP authentication. In order to
> have a proper authentication and attributes retrieving I added also ccreds
> and nss_updatedb modifying /etc/pam.d/system-auth for the first and
Did you tried to start nscd daemon to cache entries for the nsswitch
subsystem ?
I've been working around this for a while, and one of the best solution
is to have a slave LDAP on every single host.
Cheers
--
Rejoignez les 5521 adhérents de l'April <http://www.april.org/adherer>
Parinux, logiciel libre à Paris : <http://www.parinux.org>
+33 (0) 148 295 997 <http://blog.thetys-retz.net/>
GPG Id: EBEC C39A DAAE F766 9785 EF23 E76F 467D 2E14 CE70
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [gentoo-user] nss_updatedb && pam_ccreds
2010-07-29 16:50 [gentoo-user] nss_updatedb && pam_ccreds Giampiero Gabbiani
2010-07-30 11:50 ` Vincent-Xavier JUMEL
@ 2010-08-03 19:31 ` Daniel Troeder
2010-08-22 13:51 ` [gentoo-user] SOLVED: " Giampiero Gabbiani
2 siblings, 0 replies; 4+ messages in thread
From: Daniel Troeder @ 2010-08-03 19:31 UTC (permalink / raw
To: gentoo-user
[-- Attachment #1: Type: text/plain, Size: 4977 bytes --]
On 07/29/2010 06:50 PM, Giampiero Gabbiani wrote:
> Hi all,
> I configured nss & pam in order to make LDAP authentication. In order to
> have a proper authentication and attributes retrieving I added also ccreds
> and nss_updatedb modifying /etc/pam.d/system-auth for the first and
> /etc/nsswithch for both:
>
> /etc/pam.d/system-auth:
>
> auth [success=done default=ignore] pam_unix.so
> nullok_secure try_first_pass debug
> auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
> use_first_pass
> auth [default=done]
> pam_ccreds.so action=validate use_first_pass
> auth [default=done]
> pam_ccreds.so action=store
> auth [default=bad]
> pam_ccreds.so action=update
>
> account [user_unknown=ignore authinfo_unavail=ignore default=done]
> pam_unix.so debug
> account [user_unknown=ignore authinfo_unavail=ignore default=done]
> pam_ldap.so debug
> account required
> pam_permit.so
>
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2
> ocredit=2 try_first_pass retry=3
> password sufficient pam_unix.so try_first_pass use_authtok
> nullok md5 shadow
> password sufficient pam_ldap.so use_authtok use_first_pass
> password required pam_deny.so
>
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session required pam_limits.so
> session required pam_env.so
> session required pam_unix.so
> session optional pam_permit.so
> session optional pam_ldap.so
>
> # /etc/nsswitch.conf:
> # $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v
> 1.1 2006/09/29 23:52:23 vapier Exp $
>
> passwd: files ldap [NOTFOUND=return] db
> shadow: files ldap
> group: files ldap [NOTFOUND=return] db
>
> #passwd: files ldap
> #shadow: files ldap
> #group: files ldap
>
> # passwd: db files nis
> # shadow: db files nis
> # group: db files nis
>
> hosts: files dns
> networks: files dns
>
> services: db files
> protocols: db files
> rpc: db files
> ethers: db files
> netmasks: files
> netgroup: files ldap
> bootparams: files
>
> automount: files ldap
> aliases: files
>
> sudoers: ldap files
>
> the problem is that, when the connection to the ldap server is down, I can't
> login:
>
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user
> unknown
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
> Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server
> ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server
> Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server
> - Server is unavailable
> Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR
> `UNKNOWN', User not known to the underlying authentication module
>
> from the last line above it seems like the credentials were not cached or the
> nss switch doesn't use the db service for the passwd and shadow database.
>
> Is there someone that has a working configuration in order to have the
> cached credentials systems working properly ?
>
> Regards
> Giampiero
>
I haven't done this on Gentoo, only on a Ubuntu 10.04 system of a
client, but there it works like a charm. So I don't know if the
following applies, but here are my ideas:
Did you run "sudo nss_updatedb ldap"? In Ubuntu it fetches the
(non-password) data for "getent passwd" and "getent group" and stores it
in /var/lib/misc/passwd.db and /var/lib/misc/group.db.
Check those files. You should be able to list LDAP-users and LDAP-groups
now without connection to the LDAP (by running "getent passwd" and
"getent group").
The PAM configuration is very different of course.
Then to be able to login the user must have logged in once with the LDAP
connected, so that the password can be stored locally. If that was
successful, can be checked by running "sudo cc_dump". It prints:
$ sudo cc_dump
Credential Type User Service Cached Credentials
------------------------------------------------------------------------
Salted SHA1 daniel any 788e8f863a089211911dbbf1774ce141516936f4
Hope it helps...
Daniel
--
PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get
# gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 262 bytes --]
^ permalink raw reply [flat|nested] 4+ messages in thread
* [gentoo-user] SOLVED: Re: nss_updatedb && pam_ccreds
2010-07-29 16:50 [gentoo-user] nss_updatedb && pam_ccreds Giampiero Gabbiani
2010-07-30 11:50 ` Vincent-Xavier JUMEL
2010-08-03 19:31 ` Daniel Troeder
@ 2010-08-22 13:51 ` Giampiero Gabbiani
2 siblings, 0 replies; 4+ messages in thread
From: Giampiero Gabbiani @ 2010-08-22 13:51 UTC (permalink / raw
To: gentoo-user
In data giovedì 29 luglio 2010 18:50:13, Giampiero Gabbiani ha scritto:
: > Hi all,
> I configured nss & pam in order to make LDAP authentication. In order to
> have a proper authentication and attributes retrieving I added also ccreds
> and nss_updatedb modifying /etc/pam.d/system-auth for the first and
> /etc/nsswithch for both:
>
> /etc/pam.d/system-auth:
>
> auth [success=done default=ignore] pam_unix.so
> nullok_secure try_first_pass debug
> auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
> use_first_pass
> auth [default=done]
> pam_ccreds.so action=validate use_first_pass
> auth [default=done]
> pam_ccreds.so action=store
> auth [default=bad]
> pam_ccreds.so action=update
>
> account [user_unknown=ignore authinfo_unavail=ignore default=done]
> pam_unix.so debug
> account [user_unknown=ignore authinfo_unavail=ignore default=done]
> pam_ldap.so debug
> account required
> pam_permit.so
>
> password required pam_cracklib.so difok=2 minlen=8 dcredit=2
> ocredit=2 try_first_pass retry=3
> password sufficient pam_unix.so try_first_pass use_authtok
> nullok md5 shadow
> password sufficient pam_ldap.so use_authtok use_first_pass
> password required pam_deny.so
>
> session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session required pam_limits.so
> session required pam_env.so
> session required pam_unix.so
> session optional pam_permit.so
> session optional pam_ldap.so
>
> # /etc/nsswitch.conf:
> # $Header:
> /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1
> 2006/09/29 23:52:23 vapier Exp $
>
> passwd: files ldap [NOTFOUND=return] db
> shadow: files ldap
> group: files ldap [NOTFOUND=return] db
>
> #passwd: files ldap
> #shadow: files ldap
> #group: files ldap
>
> # passwd: db files nis
> # shadow: db files nis
> # group: db files nis
>
> hosts: files dns
> networks: files dns
>
> services: db files
> protocols: db files
> rpc: db files
> ethers: db files
> netmasks: files
> netgroup: files ldap
> bootparams: files
>
> automount: files ldap
> aliases: files
>
> sudoers: ldap files
>
> the problem is that, when the connection to the ldap server is down, I
> can't login:
>
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user
> unknown
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
> Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP
> server ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server
> Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server
> - Server is unavailable
> Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR
> `UNKNOWN', User not known to the underlying authentication module
>
> from the last line above it seems like the credentials were not cached or
> the nss switch doesn't use the db service for the passwd and shadow
> database.
>
> Is there someone that has a working configuration in order to have the
> cached credentials systems working properly ?
>
> Regards
> Giampiero
The problem was due to a missing sys-libs/nss-db ebuild.
This one provide the needed NSS module for using Berkeley Databases as a
naming service by glibc (actually the same used by nss-updatedb).
Now everything works well.
Bye all
Giampiero
P.S. - IMHO, this should be set as a dependecy in ebuild the for the nss-
updatedb ebuild...
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2010-08-22 13:51 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-07-29 16:50 [gentoo-user] nss_updatedb && pam_ccreds Giampiero Gabbiani
2010-07-30 11:50 ` Vincent-Xavier JUMEL
2010-08-03 19:31 ` Daniel Troeder
2010-08-22 13:51 ` [gentoo-user] SOLVED: " Giampiero Gabbiani
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox