[nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user "

[Date Prev][Date Next] [Thread Prev][Thread Next]

From: jodok-ole.muellers [at] aschendorff.de
To: nssldap [at] padl.com
Subject: [nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user "
Date: Thu, 20 Mar 2008 09:42:29 +0100

Hello, 

I set up libnss-ldap on Linux to get user/group information
from a Windows Active Directory Server. 

With getent it all looks fine to me, although I am not sure about
the password field (second field in getent passwd) which is 'x'
for local users and 'ABCD!efgh12345$67890' for ADS users.
Same with getent group, the group password field is 'x' for local 
users and '*' for ADS users.

Even though getent output looks fine the
id and groups commands fail for users stored in ADS LDAP:

This is an user on the ADS:
cmd> id adsuser
uid=10004(adsuser) gid=100001(aixgroup)id: failed to get groups for user 
`adsuser': No such file or directory

cmd> groups adsuser
aixgroupid: failed to get groups for user `adsuser': No such file or directory

This is an local user configured in /etc/passwd /etc/shadow /etc/groups
cmd> id jom
uid=1000(jom) gid=1000(jom) 
groups=1000(jom),4(adm),20(dialout),24(cdrom),25(floppy)

cmd> groups jom 
jom adm dialout cdrom floppy

cmd> getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
... these are coming from ADS:
Administrator:ABCD!efgh12345$67890:10003:10000:Administrator:/home/Administrator:/bin/sh
heinzt:ABCD!efgh12345$67890:10000:10002:Heinz Test:/home/heinzt:/bin/bash
ldap:ABCD!efgh12345$67890:10001:10001:ldap:/home/ldap:/bin/sh
adsuser:ABCD!efgh12345$67890:10004:100001:ADS User:/home/adsuser:/bin/bash

cmd> getent group
root:x:0:
daemon:x:1:
...
jom:x:1000:
... these are comming from ADS
Administratoren:*:10000:
ppiuser:*:99999:heinzt
aixgroup:*:100001:adsuser



This is my configuration:

cmd> cat /etc/nsswitch.conf 
passwd:         compat ldap  [notfound=continue]
group:          compat ldap  [notfound=continue]
shadow:         compat ldap  [notfound=continue]

hosts:          files mdns4_minimal [NOTFOUND=return] dns mdns4
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

cmd> cat /etc/ldap.conf
### debug
debug                   256
logdir                  /var/log/ldap

### connection
uri                     ldap://10.2.1.70
base                    dc=av-verlag,dc=de
scope                   sub     
timelimit               30
ssl                     no
nss_reconnect_tries     3       
ldap_version            2 
binddn                  CN=ldap,CN=Users,DC=av-verlag,DC=de 
bindpw                  secret
bind_policy             hard
nss_connect_policy      persist
nss_paged_results       yes

### Mapping

nss_base_passwd dc=av-verlag,dc=de
nss_base_shadow dc=av-verlag,dc=de
nss_base_group  dc=av-verlag,dc=de

nss_map_objectclass posixAccount        User
nss_map_objectclass shadowAccount       User
nss_map_objectclass posixGroup          Group

nss_map_attribute       uid             msSFU30Name
nss_map_attribute       uidNumber       msSFU30UidNumber
nss_map_attribute       gidNumber       msSFU30GidNumber
nss_map_attribute       loginShell      msSFU30LoginShell
nss_map_attribute       gecos           displayName
nss_map_attribute       userPassword    msSFU30Password
nss_map_attribute       homeDirectory   msSFU30HomeDirectory
nss_map_attribute       cn              sAMAccountName  

#nss_map_attribute      uniqueMember    msSFU30PosixMemberOf
nss_map_attribute       uniqueMember    msSFU30PosixMember

nss_map_attribute       givenname               displayName
nss_map_attribute       shadowLastChange        pwdLastSet
nss_map_attribute       gid                     msSFU30GidNumber

pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
nss_schema rfc2307bis


cmd>cat /etc/ldap/ldap.conf 
#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=av-verlag,dc=de      
URI     ldap://10.2.1.70        

#SIZELIMIT      12
TIMELIMIT       5
#DEREF          never


I put further debug information (ldapsearch, strace getent)
here cause it was not possible to get this mailed to the list
http://www.pastebin.ca/raw/950040


Thanks, Jodok

[nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user ", jodok-ole . muellers

Re: [nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user ", Arthur de Jong
- Re: [nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user ", Luke Howard

Prev by Date: [nssldap] nss_ldap crash in CentOS 5
Next by Date: Re: [nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user "
Previous by thread: [nssldap] nss_ldap crash in CentOS 5
Next by thread: Re: [nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user "