[nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user "
[
Date Prev][
Date Next]
[
Thread Prev][
Thread Next]
[nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user "
- From: jodok-ole.muellers [at] aschendorff.de
- To: nssldap [at] padl.com
- Subject: [nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user "
- Date: Thu, 20 Mar 2008 09:42:29 +0100
Hello,
I set up libnss-ldap on Linux to get user/group information
from a Windows Active Directory Server.
With getent it all looks fine to me, although I am not sure about
the password field (second field in getent passwd) which is 'x'
for local users and 'ABCD!efgh12345$67890' for ADS users.
Same with getent group, the group password field is 'x' for local
users and '*' for ADS users.
Even though getent output looks fine the
id and groups commands fail for users stored in ADS LDAP:
This is an user on the ADS:
cmd> id adsuser
uid=10004(adsuser) gid=100001(aixgroup)id: failed to get groups for user
`adsuser': No such file or directory
cmd> groups adsuser
aixgroupid: failed to get groups for user `adsuser': No such file or directory
This is an local user configured in /etc/passwd /etc/shadow /etc/groups
cmd> id jom
uid=1000(jom) gid=1000(jom)
groups=1000(jom),4(adm),20(dialout),24(cdrom),25(floppy)
cmd> groups jom
jom adm dialout cdrom floppy
cmd> getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
...
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
... these are coming from ADS:
Administrator:ABCD!efgh12345$67890:10003:10000:Administrator:/home/Administrator:/bin/sh
heinzt:ABCD!efgh12345$67890:10000:10002:Heinz Test:/home/heinzt:/bin/bash
ldap:ABCD!efgh12345$67890:10001:10001:ldap:/home/ldap:/bin/sh
adsuser:ABCD!efgh12345$67890:10004:100001:ADS User:/home/adsuser:/bin/bash
cmd> getent group
root:x:0:
daemon:x:1:
...
jom:x:1000:
... these are comming from ADS
Administratoren:*:10000:
ppiuser:*:99999:heinzt
aixgroup:*:100001:adsuser
This is my configuration:
cmd> cat /etc/nsswitch.conf
passwd: compat ldap [notfound=continue]
group: compat ldap [notfound=continue]
shadow: compat ldap [notfound=continue]
hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
cmd> cat /etc/ldap.conf
### debug
debug 256
logdir /var/log/ldap
### connection
uri ldap://10.2.1.70
base dc=av-verlag,dc=de
scope sub
timelimit 30
ssl no
nss_reconnect_tries 3
ldap_version 2
binddn CN=ldap,CN=Users,DC=av-verlag,DC=de
bindpw secret
bind_policy hard
nss_connect_policy persist
nss_paged_results yes
### Mapping
nss_base_passwd dc=av-verlag,dc=de
nss_base_shadow dc=av-verlag,dc=de
nss_base_group dc=av-verlag,dc=de
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_objectclass posixGroup Group
nss_map_attribute uid msSFU30Name
nss_map_attribute uidNumber msSFU30UidNumber
nss_map_attribute gidNumber msSFU30GidNumber
nss_map_attribute loginShell msSFU30LoginShell
nss_map_attribute gecos displayName
nss_map_attribute userPassword msSFU30Password
nss_map_attribute homeDirectory msSFU30HomeDirectory
nss_map_attribute cn sAMAccountName
#nss_map_attribute uniqueMember msSFU30PosixMemberOf
nss_map_attribute uniqueMember msSFU30PosixMember
nss_map_attribute givenname displayName
nss_map_attribute shadowLastChange pwdLastSet
nss_map_attribute gid msSFU30GidNumber
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad
nss_schema rfc2307bis
cmd>cat /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=av-verlag,dc=de
URI ldap://10.2.1.70
#SIZELIMIT 12
TIMELIMIT 5
#DEREF never
I put further debug information (ldapsearch, strace getent)
here cause it was not possible to get this mailed to the list
http://www.pastebin.ca/raw/950040
Thanks, Jodok
- [nssldap] gentent works but "id" and "groups" commands fail with message "failed to get groups for user ",
jodok-ole . muellers