lists.arthurdejong.org
RSS feed

Re: [nssldap] Solaris 10, nscd, Bug 369 issues

[Date Prev][Date Next] [Thread Prev][Thread Next]

Re: [nssldap] Solaris 10, nscd, Bug 369 issues



Paul,

the nss_ldap code in 264 for the kerberos functions is borked! I have patches that I have published (which is close to a complete rewrite) that deals with this. I can send you these as applied to the nss 264 that was published in Fedora recently if that will help.

This will allow kerberos to work with a keytab for the root user (or a ccache that has been set up for the root user) allow a ccache to be provided that nscd can use and also use the logged in users ccache if required. If a keytab is supplied then auto refresh also works. The only problem I have not been able to nail down is that NSCD crashes (usually after some time) where the machine has a local account that duplciates one held in the AD/OpenLDAP/Fedora store...

I have not pushed hard for this to be mainstreamed as I need to do some code tidy up.

Regards, Howard

Paul Tipper wrote:
Greetings,

I'm trying to integrate a Solaris 10 machine with Active Directory
(using SFU 3.5) and since our schema is based on RFC2307bis groups (as
I understand it) Solaris's ldap client can't seem to deal with this.

So we've compiled and installed nss_ldap (version 264) from Padl,
building it against OpenLDAP (2.4.16) and having that authenticate
against our AD by use of GSSAPI and a kerberos key in the machines
keytab generated with ktpass.exe (full details are available of
exactly what we've done if anyone wants them).

The Solaris machine machine has the following showrev information:
Release: 5.10
Kernel architecture: sun4u
Application architecture: sparc
Hardware provider: Sun_Microsystems
Domain: lancs.local
Kernel version: SunOS 5.10 Generic_127127-11

I've also installed patch 140391-03
(http://sunsolve.sun.com/search/document.do?assetkey=1-21-140391-03-1)
which apparently fixes bug 6644077 which is related to nscd rejecting
forign nss backends.


However we've hit a snag involving nscd and what I assume is bug 369
in the Padl bugtracker (http://bugzilla.padl.com/show_bug.cgi?id=369)

Essentially if nscd is running then id, getent passwd and other calls
fail.

If nscd is not running these calls work fine, and the machine can be
logged into, authenticating against LDAP via PAM, which suggests that
our configuration is correct at least in this point.  However once
logged into programs like klist and ssh cannot be run as they seem to
depend on nscd.


I've tried the suggested solution in the bugzilla page, getting the
svc:/network/ldap/client:default service running.  Although I've not
tried renaming the library and functions.  This doesn't seem to change
the behaviour of nscd, as soon as its running these calls fail.


Can anyone offer any other suggestions for what I'm doing wrong?  Do I
just need to wait for the next release of nss_ldap?  Should I be
replying on the bugzilla?


If any more information is required on compilation options or
configuration used then please ask on or off list, I just didn't want
to swamp peoples inboxes.


Regards,

paul.