[K12OSN] Authenticate to OS X Open Directory

Christopher Butler cbutler at shoreschool.org
Mon Apr 25 15:31:37 UTC 2005 

Okay,

I've read the wiki doc on authenticating LTSP clients to users in OS X
Open Directory, but I'm having some problems with authentication (the NFS
mount seems to work just fine).

I'm running K12LTSP 4.1 and OS X 10.3.4.  I have Open Directory running
with my OD Server also a KDC.  All 200 of my Macs have no problems (all
users have centralized home directories and user account on the OD
Server).  I have SSL turned on for the LDAP server.

>From the K12LTSP server, if I type
   ldapsearch -x -h helios.shoreschool.org -b dc=shoreschool,dc=org
"(uid=*)" dn
I get my nice long list of users (here is the last one)
  # lschutzman, users, shoreschool.org
  dn: uid=lschutzman,cn=users,dc=shoreschool,dc=org

  # search result
  search: 2
  result: 0 Success

  # numResponses: 628
  # numEntries: 627

I ran authconfig and checked off the "Use LDAP" checkbox under User
Information and "Use LDAP Authentication" under Authentication.  I entered
the settings for the LDAP server.
Server: helios.shoreschool.org
Base DN: cn=users,dc=shoreschool,dc=org

First I tested this with the "Use TLS" checkbox is unchecked in the LDAP
window in authconfig.  Anytime I try to log in from one of my LTSP clients
with a user in OD, I get the following lines in /var/log/messages:

  Apr 25 11:08:16 ltsp gdm(pam_unix)[5053]: check pass; user unknown
  Apr 25 11:08:16 ltsp gdm(pam_unix)[5053]: authentication failure;
logname= uid=0 euid=0 tty=ws098.ltsp:0 ruser= rhost=ws098.ltsp 
  Apr 25 11:08:16 ltsp gdm-binary[5053]: pam_krb5[5053]: error resolving
user name 'cbutler' to uid/gid pair
  Apr 25 11:08:16 ltsp gdm-binary[5053]: pam_krb5[5053]: error getting
information about 'cbutler'
  Apr 25 11:08:16 ltsp gdm(pam_unix)[5053]: could not identify user (from
getpwnam(cbutler))
  Apr 25 11:08:16 ltsp gdm-binary[5053]: pam_krb5[5053]: error resolving
user name 'cbutler' to uid/gid pair
  Apr 25 11:08:16 ltsp gdm-binary[5053]: pam_krb5[5053]: error getting
information about 'cbutler'
  Apr 25 11:08:16 ltsp gdm-binary[5053]: Couldn't set acct. mgmt for
cbutler

For fun, I even checked the "Use Kerberos" in the Authentication list and
that seems to be talking to my KDC just fine.  Here is the snipped from
the Password Server log that corresponds to the failed login above:

  Apr 25 2005 11:08:16	RSAPUBLIC: ok
  Apr 25 2005 11:08:17	RSAVALIDATE: success.
  Apr 25 2005 11:08:17	USER: {0x40e2f1ac69c81b3b0000022b0000022a, cbutler}
is the current user.
  Apr 25 2005 11:08:17	AUTH: {0x40e2f1ac69c81b3b0000022b0000022a, cbutler}
requested mechanism CRAM-MD5.
  Apr 25 2005 11:08:17	AUTH2: {0x40e2f1ac69c81b3b0000022b0000022a,
cbutler} authentication succeeded.
  Apr 25 2005 11:08:17	QUIT: {0x40e2f1ac69c81b3b0000022b0000022a, cbutler}
has disconnected.


Then, I tested this with the "Use TLS" checkbox checked in the LDAP
Settings window in authconfig.  This time, I get these lines in
/var/log/messages:

  Apr 25 11:11:18 ltsp gdm(pam_unix)[5053]: check pass; user unknown
  Apr 25 11:11:18 ltsp gdm(pam_unix)[5053]: authentication failure;
logname= uid=0 euid=0 tty=ws098.ltsp:0 ruser= rhost=ws098.ltsp 
  Apr 25 11:11:18 ltsp gdm-binary[5053]: pam_krb5[5053]: error resolving
user name 'cbutler' to uid/gid pair
  Apr 25 11:11:18 ltsp gdm-binary[5053]: pam_krb5[5053]: error getting
information about 'cbutler'
  Apr 25 11:11:18 ltsp gdm-binary[5053]: pam_ldap: ldap_starttls_s:
Connect error
  Apr 25 11:11:21 ltsp gdm-binary[5053]: Couldn't authenticate user

but I get nothing in my Password Server log on the OD server.

Finally, I tried this with Kerberos turned off and "Use TLS" turned off
and it seemed to work just fine.  So, I logged out and logged back in and
now it doesn't work!  Here are the consecutive lines from
/var/log/messages on the LTSP server when I was able to login and then
when I tried again it failed:

  Apr 25 11:21:54 ltsp gdm(pam_unix)[5521]: check pass; user unknown
  Apr 25 11:21:54 ltsp gdm(pam_unix)[5521]: authentication failure;
logname= uid=0 euid=0 tty=ws098.ltsp:0 ruser= rhost=ws098.ltsp 
  Apr 25 11:21:54 ltsp gdm(pam_unix)[5521]: session opened for user
cbutler by (uid=0)
  Apr 25 11:22:12 ltsp gdm(pam_unix)[5521]: session closed for user cbutler
  Apr 25 11:22:33 ltsp gdm(pam_unix)[5618]: check pass; user unknown
  Apr 25 11:22:33 ltsp gdm(pam_unix)[5618]: authentication failure;
logname= uid=0 euid=0 tty=ws098.ltsp:0 ruser= rhost=ws098.ltsp 
  Apr 25 11:22:33 ltsp gdm(pam_unix)[5618]: could not identify user (from
getpwnam(cbutler))
  Apr 25 11:22:33 ltsp gdm-binary[5618]: Couldn't set acct. mgmt for
cbutler

Any idea why this sometimes works and sometimes doesn't?

Thanks,
Christopher Butler
Director of Technology
Shore Country Day School
Beverly, MA 01915
cbutler at shoreschool.org

More information about the K12OSN mailing list