lists.arthurdejong.org
RSS feed

nslcd cannot find group name

[Date Prev][Date Next] [Thread Prev][Thread Next]

nslcd cannot find group name



Hi Arthur and nslcd users

We used to use nss-pam-ldap to authenticate Ubuntu 16.04 with our Windows domain controllers but I have not been able to login as a local user when using nss-pam-ldap with Ubuntu 20.04 so we have to use nss-pam-ldapd instead.

I have managed to get nss-pam-ldapd mostly working with our Windows Server 2016 domain controllers but not the groups. When I run:

su - LDAP/ADuser

I get the error:

nslcd cannot find group name

Or in some of my experimental configs I don't get that error but I'm not getting the correct group name like when using nss-pam-ldap under Ubuntu 16.04. I have read the official nss-pam-ldapd docs as well as the relevant Debian and Arch wiki pages but I'm not the wiser how to get groups working properly.

When I installed the libnss-ldapd libpam-ldapd ldap-utils and nslcd packages I chose to configure the passwd, group and shadow name services.

Here is our old ldap.conf that prints the correct group names when an LDAP user is logged in and runs id:

--------------------------------------------------------
base dc=isdads,dc=salford,dc=ac,dc=uk
uri ldap://uos-p-rodc-11.isdads.salford.ac.uk:389
ldap_version 3
binddn LDAP-P-CSE1@ISDADS.SALFORD.AC.UK
bindpw PASSWORDHERE
bind_policy soft

scope sub
timelimit 10

pam_filter objectclass=User
pam_login_attribute sAMAccountName
pam_password ad
pam_min_uid 1000

nss_base_passwd dc=isdads,dc=salford,dc=ac,dc=uk?sub
nss_base_shadow dc=isdads,dc=salford,dc=ac,dc=uk?sub
nss_base_group dc=isdads,dc=salford,dc=ac,dc=uk?sub
referrals no
nss_schema rfc2307bis

nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup group

nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uidNumber uidNumber
nss_map_attribute gidNumber gidNumber
nss_map_attribute gecos displayName
nss_map_attribute uniqueMember member
nss_map_attribute shadowLastChange pwdLastSet
nss_override_attribute_value loginShell /bin/bash
nss_initgroups_ignoreusers _apt,avahi,avahi-autoipd,backup,bin,boundary,clamav,cockpit-ws,colord,daemon,dhcpd,dnsmasq,games,gnats,graphdat,guest-uF4sKZ,hplip,irc,kernoops,landscape,libuuid,lightdm,list,lp,mail,man,messagebus,mongodb,nbd,news,nslcd,ntp,nvidia-persistenced,nx,postfix,proxy,pulse,root,rtkit,saned,scep,smmsp,smmta,snmp,speech-dispatcher,sshd,statd,sync,sys,syslog,systemd-bus-proxy,systemd-network,systemd-resolve,systemd-timesync,tftp,usbmux,uucp,uuidd,whoopsie,www-data,x2gouser,zabbix
--------------------------------------------------------

And here is my current nslcd.conf. You can see some of the settings I've been experimenting with in the comments:

--------------------------------------------------------

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://uos-p-rodc-11.isdads.salford.ac.uk:389

# The search base that will be used for all queries.
base dc=isdads,dc=salford,dc=ac,dc=uk
#base group OU=Groups,OU=Non Datacentre,dc=isdads,dc=salford,dc=ac,dc=uk

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn LDAP-P-CSE1@ISDADS.SALFORD.AC.UK
bindpw OURLDAPPASSWORDHERE

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
scope sub
timelimit 10

pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
filter group (objectClass=posixGroup)
map    passwd uid              sAMAccountName
map    passwd gidNumber        gidNumber
map    passwd homeDirectory    unixHomeDirectory
map    passwd gecos            displayName
map    passwd loginShell    "/bin/bash"
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map    shadow uid              sAMAccountName
map    shadow shadowLastChange pwdLastSet
#map    group  gidNumber        gidNumber
--------------------------------------------------------

I think we are using the UNIX extensions for LDAP under Windows server but I'm not one of the Windows admins so I'd have to check that if it matters.

Thanks

 
University of Salford
DANIEL MACDONALD
Specialist Technical Demonstrator
School of Computing, Science & Engineering
Room 145, Newton Building, University of Salford, Manchester M5 4WT
T: +44(0) 0161 295 5242
D.R.MacDonald@salford.ac.uk  www.salford.ac.uk
CSE