From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1OgNDu-000665-In for garchives@archives.gentoo.org; Tue, 03 Aug 2010 19:32:26 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 70FD5E0801; Tue, 3 Aug 2010 19:31:33 +0000 (UTC) Received: from mx01.admin-box.com (mx01.admin-box.com [78.47.249.108]) by pigeon.gentoo.org (Postfix) with ESMTP id 1F1C4E0801 for ; Tue, 3 Aug 2010 19:31:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by mx01.admin-box.com (Postfix) with ESMTP id EEAE3306E419 for ; Tue, 3 Aug 2010 21:31:31 +0200 (CEST) X-Virus-Scanned: Debian amavisd-new at mx01.admin-box.com Received: from mx01.admin-box.com ([127.0.0.1]) by localhost (mx01.admin-box.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 471lbdbVNWyl for ; Tue, 3 Aug 2010 21:31:29 +0200 (CEST) Received: from maya.local (g231111061.adsl.alicedsl.de [92.231.111.61]) (Authenticated sender: daniel@troeder.de) by mx01.admin-box.com (Postfix) with ESMTPSA id A4E313045F7F for ; Tue, 3 Aug 2010 21:31:29 +0200 (CEST) Message-ID: <4C586E90.1010002@admin-box.com> Date: Tue, 03 Aug 2010 21:31:28 +0200 From: Daniel Troeder User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.7) Gecko/20100803 Thunderbird/3.1.1 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org MIME-Version: 1.0 To: gentoo-user@lists.gentoo.org Subject: Re: [gentoo-user] nss_updatedb && pam_ccreds References: <201007291850.13570.Giampiero@gabbiani.org> In-Reply-To: <201007291850.13570.Giampiero@gabbiani.org> X-Enigmail-Version: 1.1.2 OpenPGP: id=BB9D4887; url=http://pgpkeys.pca.dfn.de/pks/lookup?search=0xBB9D4887&op=get Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig38F7DB9F5870BAEA6B3D1E55" X-Archives-Salt: 98683f36-56be-4fde-87c5-43949dba6831 X-Archives-Hash: 6c4ba71accb7dcdc80631e32a4e388cb This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig38F7DB9F5870BAEA6B3D1E55 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 07/29/2010 06:50 PM, Giampiero Gabbiani wrote: > Hi all, > I configured nss & pam in order to make LDAP authentication. In order t= o=20 > have a proper authentication and attributes retrieving I added also ccr= eds=20 > and nss_updatedb modifying /etc/pam.d/system-auth for the first and=20 > /etc/nsswithch for both: >=20 > /etc/pam.d/system-auth: >=20 > auth [success=3Ddone default=3Dignore] pam= _unix.so=20 > nullok_secure try_first_pass debug > auth [authinfo_unavail=3Dignore success=3D1 default=3D2] p= am_ldap.so=20 > use_first_pass > auth [default=3Ddone] =20 > pam_ccreds.so action=3Dvalidate use_first_pass > auth [default=3Ddone] =20 > pam_ccreds.so action=3Dstore > auth [default=3Dbad] =20 > pam_ccreds.so action=3Dupdate >=20 > account [user_unknown=3Dignore authinfo_unavail=3Dignore defaul= t=3Ddone] =20 > pam_unix.so debug > account [user_unknown=3Dignore authinfo_unavail=3Dignore defaul= t=3Ddone] =20 > pam_ldap.so debug > account required = =20 > pam_permit.so >=20 > password required pam_cracklib.so difok=3D2 minlen=3D8 dc= redit=3D2=20 > ocredit=3D2 try_first_pass retry=3D3 > password sufficient pam_unix.so try_first_pass use_authtok = > nullok md5 shadow > password sufficient pam_ldap.so use_authtok use_first_pass > password required pam_deny.so >=20 > session optional pam_mkhomedir.so skel=3D/etc/skel/ umas= k=3D0022 > session required pam_limits.so > session required pam_env.so > session required pam_unix.so > session optional pam_permit.so > session optional pam_ldap.so >=20 > # /etc/nsswitch.conf: > # $Header: /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.c= onf,v=20 > 1.1 2006/09/29 23:52:23 vapier Exp $ >=20 > passwd: files ldap [NOTFOUND=3Dreturn] db > shadow: files ldap > group: files ldap [NOTFOUND=3Dreturn] db >=20 > #passwd: files ldap > #shadow: files ldap > #group: files ldap >=20 > # passwd: db files nis > # shadow: db files nis > # group: db files nis >=20 > hosts: files dns > networks: files dns >=20 > services: db files > protocols: db files > rpc: db files > ethers: db files > netmasks: files > netgroup: files ldap > bootparams: files >=20 > automount: files ldap > aliases: files >=20 > sudoers: ldap files >=20 > the problem is that, when the connection to the ldap server is down, I = can't=20 > login: >=20 > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; = user=20 > unknown > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authenticati= on=20 > failure; logname=3DLOGIN uid=3D0 euid=3D0 tty=3Dtty2 ruser=3D rhost=3D > Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't=20 > contact LDAP server > Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP s= erver=20 > ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server > Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP se= rver=20 > - Server is unavailable > Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR=20 > `UNKNOWN', User not known to the underlying authentication module >=20 > from the last line above it seems like the credentials were not cached = or the=20 > nss switch doesn't use the db service for the passwd and shadow databas= e. >=20 > Is there someone that has a working configuration in order to have the = > cached credentials systems working properly ? >=20 > Regards > Giampiero >=20 I haven't done this on Gentoo, only on a Ubuntu 10.04 system of a client, but there it works like a charm. So I don't know if the following applies, but here are my ideas: Did you run "sudo nss_updatedb ldap"? In Ubuntu it fetches the (non-password) data for "getent passwd" and "getent group" and stores it in /var/lib/misc/passwd.db and /var/lib/misc/group.db. Check those files. You should be able to list LDAP-users and LDAP-groups now without connection to the LDAP (by running "getent passwd" and "getent group"). The PAM configuration is very different of course. Then to be able to login the user must have logged in once with the LDAP connected, so that the password can be stored locally. If that was successful, can be checked by running "sudo cc_dump". It prints: $ sudo cc_dump Credential Type User Service Cached Credentials ------------------------------------------------------------------------ Salted SHA1 daniel any 788e8f863a089211911dbbf1774ce141516936f4 Hope it helps... Daniel --=20 PGP key @ http://pgpkeys.pca.dfn.de/pks/lookup?search=3D0xBB9D4887&op=3Dg= et # gpg --recv-keys --keyserver hkp://subkeys.pgp.net 0xBB9D4887 --------------enig38F7DB9F5870BAEA6B3D1E55 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxYbpAACgkQg3+4tbudSIctvgCgiW4hX5f/yRK7fAHtraPRDliY ATsAnR+DcG09t77mV1+YgCIVEnY4RA1H =fBUR -----END PGP SIGNATURE----- --------------enig38F7DB9F5870BAEA6B3D1E55--