[K12OSN] Linux Auth'ing to Novell Edirectory--Question

Joe Guenther jguenther at chinooksedge.ab.ca
Fri Jun 25 15:55:14 UTC 2004

I also have LTSP auth'ing to Novell eDir  When my students login for the
first time into the LTSP, there is NO user account on the linux box, just in
the Novell eDir.  The PAM module will automagically create the new linux
account,(it will also create all the appropriate groups that that user is a
part of in NDS), create a new linux /home/user directory and then mount the
Novell home into /home/user/nwhome

I don't have to touch the linux box - nor the Novell box.  I just create a
user in the eDir and that is it!

the toggle that you are looking for is likely the -a (note this is NOT the
same as -A) ... see my configuration below.

This is the config that works for me.... try it .... the last line may need
to be changed to optional rather than required.  I had taken this same
configuration and put it on another server for a second school ... and it
BROKE the whole thing.  I could not even log in with the local root account.
SO use this at your own risk.  It works great for me, but I am not sure why
it did not work the second time I tried the same config in a second
school.... :-(

= = = = /etc/pam.d/system-auth = = = = =

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient   /lib/security/pam_ncp_auth.so nullok use_first_pass
dS.o=CE -a -d -L -u2000,4000,pn,gcd -g2000,4000,pn -A

## the -a switch seemed to make it magically create a new user in Linux
## from an existing Novell account
# -zA = automount
# -A = "Notice the -A argument is necessary for TCP/IP operation and you do
not have to load the IPX protocol"
# -d : turn on debugging output
# -v : display reasons login failures on terminal (default)
# -q : do not display login failures
# -s : disallow SUPERVISOR from logging-in
# -S : disallow SUPERVISOR equivalent from logging-in (NYI)
# -uMIN,MAX,CFLAGS,MFLAGS : parameters for user creation
# -gMIN,MAX,CFLAGS : parameters for group creation
#  r : When creating user, it must take uid from UNIX:UID property. If uid
#      is already used, or object does not have UNIX:UID property, user is
#      not allowed to login.
#  p : When creating user, preffer uid from UNIX:UID property.
#  n : When inventing uid for new user, take one which is one greater than
#      highest used uid in MIN,MAX range.
#  f : When inventing uid #auth       sufficient        pam_stack.so
service=system-authfor new user, take first unused in MIN,MAX range.
#  If you specify both 'r' and 'p', or both 'n' and 'f', behavior is
# User modification is enabled by non-empty MFLAGS option in -u parameter.
# MFLAGS can consist of one or more following letters:
#  g : Update user's primary gid according to NDS database.
#  c : Update user's gecos (comment, full name) according to NDS database.
#  d : Update user's home directory according to NDS database.
#  s : Update user's shell according to NDS database.
# If -g,,r or -g,,p is specified, group's UNIX:GID attribute is read from
# If attribute does not exist,and 'r' was not used, new gid is invented
# to min, max and n/f values in -g option.
# If -u,,r or -u,,p is specified, user's UNIX:UID attribute is read from
# If attribute does not exist,and 'r' was not used, new uid is invented
# to min, max and n/f values in -g option.
# During user creation, home directory is retrieved from UNIX:Home
# login shell from UNIX:Login Shell. If UNIX:Home Directory does not exist,
# /home/$cn is used as home directory for user. If UNIX:Login Shell does not
# /bin/bash is used.

auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so

password    required      /lib/security/$ISA/pam_cracklib.so retry=3 type=
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
md5 shadow
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     required      pam_ncp_auth.so

= = = = end of config file = = = = = =

-----Original Message-----
From: k12osn-bounces at redhat.com [mailto:k12osn-bounces at redhat.com]On
Behalf Of Caleb Wagnon
Sent: Thursday, June 24, 2004 6:34 PM
To: k12osn at redhat.com
Subject: [K12OSN] Linux Auth'ing to Novell Edirectory--Question

So I think I've figured out how to get Linux boxes auth'ing to
edirectory...the holdup now is I have to manually create the home
for new users. Has anyone done this?

Caleb Wagnon
Technology Coordinator
Fordyce School District

K12OSN mailing list
K12OSN at redhat.com
For more info see <http://www.k12os.org>

More information about the K12OSN mailing list