From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org)
	by finch.gentoo.org with esmtp (Exim 4.60)
	(envelope-from <gentoo-user+bounces-113204-garchives=archives.gentoo.org@lists.gentoo.org>)
	id 1OeWJm-0006jv-1w
	for garchives@archives.gentoo.org; Thu, 29 Jul 2010 16:50:50 +0000
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id C13E5E0978;
	Thu, 29 Jul 2010 16:50:15 +0000 (UTC)
Received: from smtplq01.aruba.it (smtplq-out1.aruba.it [62.149.158.21])
	by pigeon.gentoo.org (Postfix) with SMTP id 52C66E0978
	for <gentoo-user@lists.gentoo.org>; Thu, 29 Jul 2010 16:50:15 +0000 (UTC)
Received: (qmail 14896 invoked by uid 89); 29 Jul 2010 16:50:11 -0000
Received: from unknown (HELO smtp6.aruba.it) (62.149.128.201)
  by smtplq01.aruba.it with SMTP; 29 Jul 2010 16:50:11 -0000
Received: (qmail 2922 invoked by uid 89); 29 Jul 2010 16:50:11 -0000
Received: from unknown (HELO athena.localnet) (Giampiero@Gabbiani.org@79.50.254.131)
  by smtp6.ad.aruba.it with SMTP; 29 Jul 2010 16:50:10 -0000
From: Giampiero Gabbiani <Giampiero@gabbiani.org>
To: gentoo-user@lists.gentoo.org
Subject: [gentoo-user] nss_updatedb && pam_ccreds
Date: Thu, 29 Jul 2010 18:50:13 +0200
User-Agent: KMail/1.12.4 (Linux/2.6.31.13-desktop-1mnb; KDE/4.3.5; x86_64; ; )
Precedence: bulk
List-Post: <mailto:gentoo-user@lists.gentoo.org>
List-Help: <mailto:gentoo-user+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-user+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-user+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-user.gentoo.org>
X-BeenThere: gentoo-user@lists.gentoo.org
Reply-to: gentoo-user@lists.gentoo.org
MIME-Version: 1.0
Content-Type: Text/Plain;
  charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201007291850.13570.Giampiero@gabbiani.org>
X-Spam-Rating: smtp6.ad.aruba.it 1.6.2 0/1000/N
X-Spam-Rating: smtplq01.aruba.it 1.6.2 0/1000/N
X-Archives-Salt: 814c8ed4-65bd-41ab-8c50-ccaca1950b06
X-Archives-Hash: 3c42155b6d9de85110eb81cb29180c7b

Hi all,
I configured nss & pam in order to make LDAP authentication. In order to 
have a proper authentication and attributes retrieving I added also ccreds 
and nss_updatedb modifying /etc/pam.d/system-auth for the first and 
/etc/nsswithch for both:

/etc/pam.d/system-auth:

auth            [success=done default=ignore]                   pam_unix.so 
nullok_secure try_first_pass debug
auth            [authinfo_unavail=ignore success=1 default=2]   pam_ldap.so 
use_first_pass
auth            [default=done]                                  
pam_ccreds.so action=validate use_first_pass
auth            [default=done]                                  
pam_ccreds.so action=store
auth            [default=bad]                                   
pam_ccreds.so action=update

account         [user_unknown=ignore authinfo_unavail=ignore default=done]      
pam_unix.so debug
account         [user_unknown=ignore authinfo_unavail=ignore default=done]      
pam_ldap.so debug
account         required                                                        
pam_permit.so

password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 
ocredit=2 try_first_pass retry=3
password        sufficient      pam_unix.so try_first_pass use_authtok 
nullok md5 shadow
password        sufficient      pam_ldap.so use_authtok use_first_pass
password        required        pam_deny.so

session         optional        pam_mkhomedir.so skel=/etc/skel/ umask=0022
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so
session         optional        pam_ldap.so

# /etc/nsswitch.conf:
# $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 
1.1 2006/09/29 23:52:23 vapier Exp $

passwd:         files ldap [NOTFOUND=return] db
shadow:         files ldap
group:          files ldap [NOTFOUND=return] db

#passwd:      files ldap
#shadow:      files ldap
#group:       files ldap

# passwd:    db files nis
# shadow:    db files nis
# group:     db files nis

hosts:       files dns
networks:    files dns

services:    db files
protocols:   db files
rpc:         db files
ethers:      db files
netmasks:    files
netgroup:    files ldap
bootparams:  files

automount:   files ldap
aliases:     files

sudoers:        ldap files

the problem is that, when the connection to the ldap server is down, I can't 
login:

Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user 
unknown
Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication 
failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't 
contact LDAP server
Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP server 
ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server
Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server 
- Server is unavailable
Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR 
`UNKNOWN', User not known to the underlying authentication module

from the last line above it seems like the credentials were not cached or the 
nss switch doesn't use the db service for the passwd and shadow database.

Is there someone that has a working configuration in order to have the 
cached credentials systems working properly ?

Regards
Giampiero