RSS feed

PAM doesn't retrieve secondary group when it is an aliased object

[Date Prev][Date Next] [Thread Prev][Thread Next]

PAM doesn't retrieve secondary group when it is an aliased object

Hi everybody,

Under Debian Squeeze, I need to use Samba/PAM/LDAP authentication and
group mapping through dyngroups using:
slapd : 2.4.23-7.2
nslcd : 0.7.13
libpam-ldapd : 0.7.13
libnss-ldapd : 0.7.13

I added the rfc2307bis schema because I want to obtain a groupOfURLs as
structural objectclass and a posixGroup as auxiliary objectclass with a
gidNumber as attribute !

After a minimal population, I got this LDAP tree:


# LDIF Export for dc=domain,dc=tld
# Server: My LDAP Server (localhost)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 12
# Generated by phpLDAPadmin ( on July
13, 2011 8:47 am
# Version:

version: 1

# Entry 1: dc=domain,dc=tld
dn: dc=domain,dc=tld
dc: domain
o: domain
objectclass: dcObject
objectclass: organization

# Entry 2: cn=NextFreeUnixId,dc=domain,dc=tld
dn: cn=NextFreeUnixId,dc=domain,dc=tld
cn: NextFreeUnixId
gidnumber: 1108
objectclass: inetOrgPerson
objectclass: sambaUnixIdPool
sn: NextFreeUnixId
uidnumber: 2086

# Entry 3: ou=computers,dc=domain,dc=tld
dn: ou=computers,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: computers

# Entry 4: ou=groups,dc=domain,dc=tld
dn: ou=groups,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: groups

# Entry 5: cn=peri,ou=groups,dc=domain,dc=tld
dn: cn=peri,ou=groups,dc=domain,dc=tld
cn: peri
gidnumber: 521
member: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
memberurl: ldap:///ou=peri,ou=dga1,ou=users,dc=domain,dc=tld??one?(uid=*)
objectclass: groupOfURLs
objectclass: posixGroup

# Entry 6: cn=scol,ou=groups,dc=domain,dc=tld
dn: cn=scol,ou=groups,dc=domain,dc=tld
cn: scol
gidnumber: 524
member: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
memberurl: ldap:///ou=scol,ou=dga1,ou=users,dc=domain,dc=tld??one?(uid=*)
objectclass: groupOfURLs
objectclass: top
objectclass: extensibleObject
objectclass: posixGroup
sambagrouptype: 2
sambasid: S-1-5-21-3628528233-1319900138-667723050-3165

# Entry 7: ou=users,dc=domain,dc=tld
dn: ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: users

# Entry 8: ou=dga1,ou=users,dc=domain,dc=tld
dn: ou=dga1,ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: dga1

# Entry 9: ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
dn: ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: peri

# Entry 10: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
dn: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
aliasedobjectname: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
objectclass: alias
objectclass: top
objectclass: extensibleObject
uid: abeaulieu

# Entry 11: ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
dn: ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
objectclass: top
objectclass: organizationalUnit
ou: scol

# Entry 12: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
dn: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
description: Anne BEAULIEU
displayname: Anne BEAULIEU
gecos: Anne BEAULIEU
gidnumber: 524
givenname: Anne
homedirectory: /data/users/abeaulieu
loginshell: /bin/bash
mail: abeaulieu@domain.tld
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: shadowAccount
objectclass: sambaSamAccount
sambaacctflags: [U]
sambabadpasswordcount: 0
sambabadpasswordtime: 0
sambahomedrive: U:
sambahomepath: \\arwen\homes\abeaulieu
sambakickofftime: 2147483647
sambalmpassword: 01FC5A6BE7BC6929AAD3B435B51404EE
sambalogofftime: 2147483647
sambalogonscript: abeaulieu.bat
sambalogontime: 0
sambantpassword: 0CB6948805F797BF2A82807973B89537
sambapasswordhistory: 168DEEDA8D143CA27D33E12FF4CD81D211B01B0E4B8BD8E2868983
sambaprimarygroupsid: S-1-5-21-3628528233-1319900138-667723050-513
sambaprofilepath: \\arwen\profiles\abeaulieu
sambapwdcanchange: 0
sambapwdlastset: 1303395867
sambapwdmustchange: 1318947867
sambasid: S-1-5-21-3628528233-1319900138-667723050-5156
shadowlastchange: 15085
shadowmax: 180
uid: abeaulieu
uidnumber: 2078
userpassword: {CRYPT}XdiWfno7Or4XA


Everything seems to be OK, like:

$ getent group

$ getent passwd
abeaulieu:x:2078:524:Anne BEAULIEU:/data/users/abeaulieu:/bin/bash

$ getent shadow

So I can authenticate the user abeaulieu without any problem !

I also can do that:

$ ldapsearch -h localhost -x -D "cn=admin,dc=domain,dc=tld" -w secret

# extended LDIF
# LDAPv3
# base <dc=domain,dc=tld> (default) with scope subtree
# filter: gidnumber=521
# requesting: ALL

# peri, groups, domain.tld
dn: cn=peri,ou=groups,dc=domain,dc=tld
gidNumber: 521
objectClass: groupOfURLs
objectClass: posixGroup
cn: peri
memberURL: ldap:///ou=peri,ou=dga1,ou=users,dc=domain,dc=tld??one?(uid=*)
member: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1


ldapsearch -h localhost -x -D "cn=admin,dc=domain,dc=tld" -w secret

# extended LDIF
# LDAPv3
# base <dc=domain,dc=tld> (default) with scope subtree
# filter: uid=abeaulieu
# requesting: ALL

# abeaulieu, peri, dga1, users, domain.tld
dn: uid=abeaulieu,ou=peri,ou=dga1,ou=users,dc=domain,dc=tld
uid: abeaulieu
objectClass: alias
objectClass: top
objectClass: extensibleObject
aliasedObjectName: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld

# abeaulieu, scol, dga1, users, domain.tld
dn: uid=abeaulieu,ou=scol,ou=dga1,ou=users,dc=domain,dc=tld
sambaLMPassword: 01FC5A6BE7BC6929AAD3B435B51404EE
sambaPrimaryGroupSID: S-1-5-21-3628528233-1319900138-667723050-513
displayName: Anne BEAULIEU
givenName: Anne
sambaLogonScript: abeaulieu.bat
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
objectClass: sambaSamAccount
shadowLastChange: 15085
userPassword:: e0NSWVBUfVg1aVdIbm83VXI0WEE=
sambaHomeDrive: U:
sambaLogonTime: 0
sambaBadPasswordTime: 0
uid: abeaulieu
uidNumber: 2078
sambaLogoffTime: 2147483647
sambaPwdLastSet: 1303395867
sambaAcctFlags: [U]
loginShell: /bin/bash
sambaBadPasswordCount: 0
sambaProfilePath: \\arwen\profiles\abeaulieu
gidNumber: 524
shadowMax: 180
sambaPwdMustChange: 1318947867
sambaSID: S-1-5-21-3628528233-1319900138-667723050-5156
gecos: Anne BEAULIEU
sambaNTPassword: 0CB6948805F797BF2A82807973B89537
sambaPwdCanChange: 0
description: Anne BEAULIEU
homeDirectory: /data/users/abeaulieu
sambaKickoffTime: 2147483647
sambaHomePath: \\arwen\homes\abeaulieu
mail: abeaulieu@domain.tld

# search result
search: 2
result: 0 Success

# numResponses: 3
# numEntries: 2

... So I rightly obtain the alias !

But when I try:

$ groups abeaulieu
abeaulieu : scol

I don't retrieve the secondary group... which is the alias ???
Any idea ?
Thank you for all your suggestions.

Camille PREVOST - A Debian enthusiast


There are my main config file's directives:

##### /etc/ldap/slapd.conf :

include        /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/inetorgperson.schema
include         /etc/ldap/schema/openldap.schema
include         /etc/ldap/schema/rfc2307bis.schema
include         /etc/ldap/schema/samba.schema
include         /etc/ldap/schema/misc.schema
include         /etc/ldap/schema/dyngroup.schema
pidfile        /var/run/slapd/
argsfile     /var/run/slapd/slapd.args
modulepath    /usr/lib/ldap/
moduleload    back_bdb
allow bind_v2
database        bdb
directory       /var/lib/ldap
suffix          "dc=domain,dc=tld"
rootdn          "cn=admin,dc=domain,dc=tld"
rootpw          secret
loglevel 256
overlay dynlist
overlay autogroup
autogroup-attrset posixGroup memberURL uidnumber
access to
        by anonymous auth
        by self write
        by * none
access to dn.base="" by * read
access to *
       by * read
cachesize  100000
index    objectClass            pres,eq
index   cn,sn,uid,displayName           pres,sub,eq
index   uidNumber,gidNumber             eq
index   sambaSID                        eq
index   sambaPrimaryGroupSID            eq
index   sambaDomainName                 eq
index   default                         sub
index   memberURL                       pres,eq
index   memberUid                       pres,eq
index   uniqueMember                    pres,eq

##### /etc/nsswitch.conf :

passwd:         files ldap
group:          files ldap
shadow:         files ldap
aliases:        files ldap

hosts:          files dns ldap
networks:       files

services:       files db
protocols:      files db
rpc:            files db
ethers:         files db
netgroup:       files nis

##### /etc/nslcd.conf :

uid nslcd
gid nslcd
uri ldap://
base dc=domain,dc=tld
ldap_version 3
scope sub


Everything is correctly configured in /etc/pam.d/common-* and I assumed
Samba config files are not needed to find what is wrong...

To unsubscribe send an email to or see