nslcd cannot find group name

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: Daniel Macdonald <D.R.MacDonald [at] salford.ac.uk>
To: "nss-pam-ldapd-users [at] lists.arthurdejong.org" <nss-pam-ldapd-users [at] lists.arthurdejong.org>
Subject: nslcd cannot find group name
Date: Sat, 4 Dec 2021 12:34:36 +0000

Hi Arthur and nslcd users

We used to use nss-pam-ldap to authenticate Ubuntu 16.04 with our Windows domain controllers but I have not been able to login as a local user when using nss-pam-ldap with Ubuntu 20.04 so we have to use nss-pam-ldapd instead.

I have managed to get nss-pam-ldapd mostly working with our Windows Server 2016 domain controllers but not the groups. When I run:

su - LDAP/ADuser

I get the error:

nslcd cannot find group name

Or in some of my experimental configs I don't get that error but I'm not getting the correct group name like when using nss-pam-ldap under Ubuntu 16.04. I have read the official nss-pam-ldapd docs as well as the relevant Debian and Arch wiki pages but I'm not the wiser how to get groups working properly.

When I installed the libnss-ldapd libpam-ldapd ldap-utils and nslcd packages I chose to configure the passwd, group and shadow name services.

Here is our old ldap.conf that prints the correct group names when an LDAP user is logged in and runs id:

--------------------------------------------------------
base dc=isdads,dc=salford,dc=ac,dc=uk

uri ldap://uos-p-rodc-11.isdads.salford.ac.uk:389

ldap_version 3

binddn LDAP-P-CSE1@ISDADS.SALFORD.AC.UK

bindpw PASSWORDHERE

bind_policy soft

scope sub

timelimit 10

pam_filter objectclass=User

pam_login_attribute sAMAccountName

pam_password ad

pam_min_uid 1000

nss_base_passwd dc=isdads,dc=salford,dc=ac,dc=uk?sub

nss_base_shadow dc=isdads,dc=salford,dc=ac,dc=uk?sub

nss_base_group dc=isdads,dc=salford,dc=ac,dc=uk?sub

referrals no

nss_schema rfc2307bis

nss_map_objectclass posixAccount User

nss_map_objectclass shadowAccount User

nss_map_objectclass posixGroup group

nss_map_attribute uid sAMAccountName

nss_map_attribute homeDirectory unixHomeDirectory

nss_map_attribute uidNumber uidNumber

nss_map_attribute gidNumber gidNumber

nss_map_attribute gecos displayName

nss_map_attribute uniqueMember member

nss_map_attribute shadowLastChange pwdLastSet

nss_override_attribute_value loginShell /bin/bash

nss_initgroups_ignoreusers _apt,avahi,avahi-autoipd,backup,bin,boundary,clamav,cockpit-ws,colord,daemon,dhcpd,dnsmasq,games,gnats,graphdat,guest-uF4sKZ,hplip,irc,kernoops,landscape,libuuid,lightdm,list,lp,mail,man,messagebus,mongodb,nbd,news,nslcd,ntp,nvidia-persistenced,nx,postfix,proxy,pulse,root,rtkit,saned,scep,smmsp,smmta,snmp,speech-dispatcher,sshd,statd,sync,sys,syslog,systemd-bus-proxy,systemd-network,systemd-resolve,systemd-timesync,tftp,usbmux,uucp,uuidd,whoopsie,www-data,x2gouser,zabbix

--------------------------------------------------------

And here is my current nslcd.conf. You can see some of the settings I've been experimenting with in the comments:

--------------------------------------------------------

# /etc/nslcd.conf
# nslcd configuration file. See nslcd.conf(5)
# for details.

# The user and group nslcd should run as.
uid nslcd
gid nslcd

# The location at which the LDAP server(s) should be reachable.
uri ldap://uos-p-rodc-11.isdads.salford.ac.uk:389

# The search base that will be used for all queries.
base dc=isdads,dc=salford,dc=ac,dc=uk
#base group OU=Groups,OU=Non Datacentre,dc=isdads,dc=salford,dc=ac,dc=uk

# The LDAP protocol version to use.
#ldap_version 3

# The DN to bind with for normal lookups.
binddn LDAP-P-CSE1@ISDADS.SALFORD.AC.UK
bindpw OURLDAPPASSWORDHERE

# The DN used for password modifications by root.
#rootpwmoddn cn=admin,dc=example,dc=com

# SSL options
#ssl off
#tls_reqcert never
#tls_cacertfile /etc/ssl/certs/ca-certificates.crt

# The search scope.
scope sub
timelimit 10

pagesize 1000
referrals off
idle_timelimit 800
filter passwd (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
filter group (objectClass=posixGroup)
map passwd uid sAMAccountName
map passwd gidNumber gidNumber
map passwd homeDirectory unixHomeDirectory
map passwd gecos displayName
map passwd loginShell "/bin/bash"
filter shadow (&(objectClass=user)(!(objectClass=computer))(uidNumber=*)(unixHomeDirectory=*))
map shadow uid sAMAccountName
map shadow shadowLastChange pwdLastSet
#map group gidNumber gidNumber

--------------------------------------------------------

I think we are using the UNIX extensions for LDAP under Windows server but I'm not one of the Windows admins so I'd have to check that if it matters.

Thanks

DANIEL MACDONALD
Specialist Technical Demonstrator

School of Computing, Science & Engineering
Room 145, Newton Building, University of Salford, Manchester M5 4WT
T: +44(0) 0161 295 5242
D.R.MacDonald@salford.ac.uk / www.salford.ac.uk

nslcd cannot find group name, Daniel Macdonald

Re: nslcd cannot find group name, Arthur de Jong

Prev by Date: Re: [EXTERNAL] Re: "Genet group" returns empty list of group member
Next by Date: Re: nslcd cannot find group name
Previous by thread: Re: [EXTERNAL] Re: "Genet group" returns empty list of group member
Next by thread: Re: nslcd cannot find group name