[gentoo-user] SOLVED: Re: nss_updatedb && pam_ccreds

[Giampiero Gabbiani <Giampiero@gabbiani.org>]

In data giovedì 29 luglio 2010 18:50:13, Giampiero Gabbiani ha scritto:
: > Hi all,
> I configured nss & pam in order to make LDAP authentication. In order to
> have a proper authentication and attributes retrieving I added also ccreds
> and nss_updatedb modifying /etc/pam.d/system-auth for the first and
> /etc/nsswithch for both:
> 
> /etc/pam.d/system-auth:
> 
> auth            [success=done default=ignore]                   pam_unix.so
> nullok_secure try_first_pass debug
> auth            [authinfo_unavail=ignore success=1 default=2]   pam_ldap.so
> use_first_pass
> auth            [default=done]
> pam_ccreds.so action=validate use_first_pass
> auth            [default=done]
> pam_ccreds.so action=store
> auth            [default=bad]
> pam_ccreds.so action=update
> 
> account         [user_unknown=ignore authinfo_unavail=ignore default=done]
> pam_unix.so debug
> account         [user_unknown=ignore authinfo_unavail=ignore default=done]
> pam_ldap.so debug
> account         required
> pam_permit.so
> 
> password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2
> ocredit=2 try_first_pass retry=3
> password        sufficient      pam_unix.so try_first_pass use_authtok
> nullok md5 shadow
> password        sufficient      pam_ldap.so use_authtok use_first_pass
> password        required        pam_deny.so
> 
> session         optional        pam_mkhomedir.so skel=/etc/skel/ umask=0022
> session         required        pam_limits.so
> session         required        pam_env.so
> session         required        pam_unix.so
> session         optional        pam_permit.so
> session         optional        pam_ldap.so
> 
> # /etc/nsswitch.conf:
> # $Header:
> /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1
> 2006/09/29 23:52:23 vapier Exp $
> 
> passwd:         files ldap [NOTFOUND=return] db
> shadow:         files ldap
> group:          files ldap [NOTFOUND=return] db
> 
> #passwd:      files ldap
> #shadow:      files ldap
> #group:       files ldap
> 
> # passwd:    db files nis
> # shadow:    db files nis
> # group:     db files nis
> 
> hosts:       files dns
> networks:    files dns
> 
> services:    db files
> protocols:   db files
> rpc:         db files
> ethers:      db files
> netmasks:    files
> netgroup:    files ldap
> bootparams:  files
> 
> automount:   files ldap
> aliases:     files
> 
> sudoers:        ldap files
> 
> the problem is that, when the connection to the ldap server is down, I
> can't login:
> 
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user
> unknown
> Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
> Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP
> server ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server
> Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server
> - Server is unavailable
> Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR
> `UNKNOWN', User not known to the underlying authentication module
> 
> from the last line above it seems like the credentials were not cached or
> the nss switch doesn't use the db service for the passwd and shadow
> database.
> 
> Is there someone that has a working configuration in order to have the
> cached credentials systems working properly ?
> 
> Regards
> Giampiero
The problem was due to a missing sys-libs/nss-db ebuild.
This one provide the needed NSS module for using Berkeley Databases as a 
naming service by glibc (actually the same used by nss-updatedb).

Now everything works well.

Bye all
Giampiero

P.S. - IMHO, this should be set as a dependecy in ebuild the for the nss-
updatedb ebuild...