From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OnAxF-0002Gd-0U for garchives@archives.gentoo.org; Sun, 22 Aug 2010 13:51:21 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id DCB94E052E; Sun, 22 Aug 2010 13:51:09 +0000 (UTC) Received: from smtplq03.aruba.it (smtplq-out11.aruba.it [62.149.158.31]) by pigeon.gentoo.org (Postfix) with SMTP id 6A5F4E052E for ; Sun, 22 Aug 2010 13:51:09 +0000 (UTC) Received: (qmail 20220 invoked by uid 89); 22 Aug 2010 13:51:07 -0000 Received: from unknown (HELO smtp8.aruba.it) (62.149.128.201) by smtplq03.aruba.it with SMTP; 22 Aug 2010 13:51:07 -0000 Received: (qmail 24007 invoked by uid 89); 22 Aug 2010 13:51:07 -0000 Received: from unknown (HELO athena.localnet) (Giampiero@Gabbiani.org@79.45.41.26) by smtp8.ad.aruba.it with SMTP; 22 Aug 2010 13:51:07 -0000 From: Giampiero Gabbiani To: gentoo-user@lists.gentoo.org Subject: [gentoo-user] SOLVED: Re: nss_updatedb && pam_ccreds Date: Sun, 22 Aug 2010 15:51:07 +0200 User-Agent: KMail/1.13.3 (Linux/2.6.33.5-desktop-2mnb; KDE/4.4.3; x86_64; ; ) References: <201007291850.13570.Giampiero@gabbiani.org> In-Reply-To: <201007291850.13570.Giampiero@gabbiani.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Message-Id: <201008221551.07339.Giampiero@gabbiani.org> X-Spam-Rating: smtp8.ad.aruba.it 1.6.2 0/1000/N X-Spam-Rating: smtplq03.aruba.it 1.6.2 0/1000/N X-Archives-Salt: c1829982-c9c2-4943-b11a-7478d394778d X-Archives-Hash: 0f50ab87a85a1428fb4583668d74f976 In data gioved=EC 29 luglio 2010 18:50:13, Giampiero Gabbiani ha scritto: : > Hi all, > I configured nss & pam in order to make LDAP authentication. In order to > have a proper authentication and attributes retrieving I added also ccreds > and nss_updatedb modifying /etc/pam.d/system-auth for the first and > /etc/nsswithch for both: >=20 > /etc/pam.d/system-auth: >=20 > auth [success=3Ddone default=3Dignore] pam_u= nix.so > nullok_secure try_first_pass debug > auth [authinfo_unavail=3Dignore success=3D1 default=3D2] pam= _ldap.so > use_first_pass > auth [default=3Ddone] > pam_ccreds.so action=3Dvalidate use_first_pass > auth [default=3Ddone] > pam_ccreds.so action=3Dstore > auth [default=3Dbad] > pam_ccreds.so action=3Dupdate >=20 > account [user_unknown=3Dignore authinfo_unavail=3Dignore default= =3Ddone] > pam_unix.so debug > account [user_unknown=3Dignore authinfo_unavail=3Dignore default= =3Ddone] > pam_ldap.so debug > account required > pam_permit.so >=20 > password required pam_cracklib.so difok=3D2 minlen=3D8 dcre= dit=3D2 > ocredit=3D2 try_first_pass retry=3D3 > password sufficient pam_unix.so try_first_pass use_authtok > nullok md5 shadow > password sufficient pam_ldap.so use_authtok use_first_pass > password required pam_deny.so >=20 > session optional pam_mkhomedir.so skel=3D/etc/skel/ umask= =3D0022 > session required pam_limits.so > session required pam_env.so > session required pam_unix.so > session optional pam_permit.so > session optional pam_ldap.so >=20 > # /etc/nsswitch.conf: > # $Header: > /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1 > 2006/09/29 23:52:23 vapier Exp $ >=20 > passwd: files ldap [NOTFOUND=3Dreturn] db > shadow: files ldap > group: files ldap [NOTFOUND=3Dreturn] db >=20 > #passwd: files ldap > #shadow: files ldap > #group: files ldap >=20 > # passwd: db files nis > # shadow: db files nis > # group: db files nis >=20 > hosts: files dns > networks: files dns >=20 > services: db files > protocols: db files > rpc: db files > ethers: db files > netmasks: files > netgroup: files ldap > bootparams: files >=20 > automount: files ldap > aliases: files >=20 > sudoers: ldap files >=20 > the problem is that, when the connection to the ldap server is down, I > can't login: >=20 > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; us= er > unknown > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication > failure; logname=3DLOGIN uid=3D0 euid=3D0 tty=3Dtty2 ruser=3D rhost=3D > Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't > contact LDAP server > Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP > server ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server > Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP serv= er > - Server is unavailable > Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR > `UNKNOWN', User not known to the underlying authentication module >=20 > from the last line above it seems like the credentials were not cached or > the nss switch doesn't use the db service for the passwd and shadow > database. >=20 > Is there someone that has a working configuration in order to have the > cached credentials systems working properly ? >=20 > Regards > Giampiero The problem was due to a missing sys-libs/nss-db ebuild. This one provide the needed NSS module for using Berkeley Databases as a=20 naming service by glibc (actually the same used by nss-updatedb). Now everything works well. Bye all Giampiero P.S. - IMHO, this should be set as a dependecy in ebuild the for the nss- updatedb ebuild...