[Fedora-directory-users] FDS and Solaris Client Question
Marc Sauton
msauton at redhat.com
Tue Sep 18 22:30:22 UTC 2007
Jeremiah Coleman wrote:
> On Tue, 2007-09-18 at 13:53 -0700, Marc Sauton wrote:
>
>> Jeremiah Coleman wrote:
>>
>>> I'm trying to set up a Solaris 10 client with FDS (all my linux clients
>>> are working beautifully), but authentication is acting very strange.
>>> Monitoring the net traffic, I can see the Solaris system bind, search
>>> for info about the username, get a normal response, but then it just
>>>
>>>
>> Not sure for the "normal" reponse.
>>
>
> The client asks for the posixAccount info, and gets all that is
> available, then asks for the shadowAccount info, and gets the uid (same
> as the linux clients). Repeats this a couple of times, then stops.
>
>
>> If the rootbinddn in /etc/ldap.conf and associated pw or file
>> permissions are correct, what about a "getent passwd" and logs or trace ?
>>
>>> unbinds. It never asks to authenticate a password. My configuration is
>>> below.
>>>
>
> I'm using Solaris 10 native, not OpenLDAP. No /etc/ldap.conf. Would I
> be better off switching to OpenLDAP? getent passwd gives me a passwd
> file list from the ldap server, with x instead of actual passwords.
>
If getent shows the non local uid's, the failed ssh login could be
related to your pam client configuration or to a service not running on
the client ? (client system logs should provide you some hints)
M.
> As for logs, I've been unable to find a way to get the authentication
> stuff to log effectively.
>
> Thanks,
> Jay
>
>
>>>
>>>
>> May want to restart / sighup your sshd to get the last configurations.
>> System logs and getent could confirm the uid is found, to eliminate the
>> nss_ldap part.
>>
>>> Any help would be much appreciated.
>>>
>>> ldap_client_file:
>>> NS_LDAP_FILE_VERSION= 2.0
>>> NS_LDAP_SERVERS= fds1.wherever.com
>>> NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com
>>> NS_LDAP_AUTH= simple
>>> NS_LDAP_SEARCH_REF= TRUE
>>> NS_LDAP_SEARCH_SCOPE= one
>>> NS_LDAP_SEARCH_TIME= 30
>>> NS_LDAP_CACHETTL= 43200
>>> NS_LDAP_PROFILE= default
>>> NS_LDAP_CREDENTIAL_LEVEL= proxy
>>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one
>>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one
>>> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one
>>> NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one
>>> NS_LDAP_BIND_TIME= 2
>>>
>>> /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not
>>> all of that is configured on ldap as yet):
>>> # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
>>> passwd: files ldap
>>> group: files ldap
>>> shadow: files ldap
>>>
>>> # consult /etc "files" only if ldap is down.
>>> hosts: dns files ldap
>>>
>>> # Note that IPv4 addresses are searched for in all of the ipnodes databases
>>> # before searching the hosts databases.
>>> ipnodes: files
>>>
>>> networks: files
>>> protocols: files
>>> rpc: files
>>> ethers: files
>>> netmasks: files
>>> bootparams: files
>>> publickey: files
>>>
>>> netgroup: ldap
>>>
>>> automount: files ldap
>>> aliases: files ldap
>>>
>>> # for efficient getservbyname() avoid ldap
>>> services: files ldap
>>>
>>> printers: user files ldap
>>>
>>> auth_attr: files ldap
>>> prof_attr: files ldap
>>>
>>> project: files ldap
>>>
>>> tnrhtp: files ldap
>>> tnrhdb: files ldap
>>>
>>>
>>>
>>>
>> Is it possible you are missing some entries in your /etc/pam.d/ for ssh
>> on Solaris 10 ?
>>
>>> /etc/pam.conf:
>>> # login service (explicit because of pam_dial_auth)
>>> #
>>> login auth required pam_ldap.so.1
>>> login auth requisite pam_authtok_get.so.1
>>> login auth required pam_dhkeys.so.1
>>> login auth required pam_unix_cred.so.1
>>> login auth required pam_unix_auth.so.1
>>> login auth required pam_dial_auth.so.1
>>> #
>>> # rlogin service (explicit because of pam_rhost_auth)
>>> #
>>> rlogin auth sufficient pam_ldap.so.1
>>> rlogin auth sufficient pam_rhosts_auth.so.1
>>> rlogin auth requisite pam_authtok_get.so.1
>>> rlogin auth required pam_dhkeys.so.1
>>> rlogin auth required pam_unix_cred.so.1
>>> rlogin auth required pam_unix_auth.so.1
>>> # Default definitions for Authentication management
>>> # Used when service name is not explicitly mentioned for authentication
>>> #
>>> other auth sufficient pam_ldap.so.1
>>> other auth requisite pam_authtok_get.so.1
>>> other auth required pam_dhkeys.so.1
>>> other auth required pam_unix_cred.so.1
>>> other auth required pam_unix_auth.so.1
>>> #
>>> # passwd command (explicit because of a different authentication module)
>>> #
>>> passwd auth sufficient pam_ldap.so.1
>>> passwd auth required pam_passwd_auth.so.1
>>> #
>>> # cron service (explicit because of non-usage of pam_roles.so.1)
>>> #
>>> cron account required pam_unix_account.so.1
>>> #
>>> # Default definition for Account management
>>> # Used when service name is not explicitly mentioned for account management
>>> #
>>> other account sufficient pam_ldap.so.1
>>> other account requisite pam_roles.so.1
>>> other account required pam_unix_account.so.1
>>> #
>>> # Default definition for Session management
>>> # Used when service name is not explicitly mentioned for session management
>>> #
>>> other session sufficient pam_ldap.so.1
>>> other session required pam_unix_session.so.1
>>> #
>>> # Default definition for Password management
>>> # Used when service name is not explicitly mentioned for password management
>>> #
>>> other password required pam_dhkeys.so.1
>>> other password requisite pam_authtok_get.so.1
>>> other password requisite pam_authtok_check.so.1
>>> other password required pam_authtok_store.so.1
>>>
>>>
>>>
>>>
>> --
>> Fedora-directory-users mailing list
>> Fedora-directory-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
More information about the Fedora-directory-users
mailing list