lists.arthurdejong.org
RSS feed

Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works





philoertel wrote:
Thanks for the responses!

See I saw a post somewhere else suggesting there might be a problem with not
having uid and gid. But I thought this was a common thing and there must be
a way. I definitely don't have uid in AD. If I can get my AD admins to work
with me, can I just add random uids (>1000)? I don't really understand why
they have to be there for this to work, so I can't figure out if there's a
reasonable workaround.

I have users both local and remote because remote doesn't work! But I think
this is the normal way right? Because root's always going to be local? And
at any rate it shouldn't cause any problems.


Guillaume Rousse wrote:
philoertel a écrit :
I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to
authenticate people against our AD server.

You may also want to look at treating authentication separate from
authorization. You can then use Kerberos for authentication to AD,
and do the authorization to local file, DIS, or LDAP either as a
seperate server, or to AD.

In this case the pam_krb5 is used, and nsswitch for password, and groups
can use LDAP without using pam_ldap.

Kerberos does not need the UID and GIDs, but the passwd and groups
mapping do, so if you use LDAP to AD for authorization, AD will need the
UID and GIDs.

Google for:    windows ldap uid gid

and also look at Samba.



But I've broken everything. I
can
ssh and su as root. ssh as my regular user (who's both in ldap and
/etc/passwd) just hangs. ssh or su as any user in ldap but not in
/etc/passwd errors: "unknown id: test". getent passwd shows only users in
/etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user>
fails
with id: <ldap-user>: No such user. libnss-ldap is installed, and strace
shows su is checking nss, or at least it's opening the config files.
Not really what you expect, but:
- why do you have users both in local (/etc/passwd) and remote (ldap) databases ? - are you sure AD has enough informations to be used as a Unix account database ? More specifically, I don't think there is anything as gid and uid there...

--
BOFH excuse #92:

Stale file handle (next time use Tupperware(tm)!)




--

 Douglas E. Engert  <DEEngert@anl.gov>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444