[K12OSN] LTSP 4.4.1 cannot authenicate to LDAP from GDM login
Eric Harrison
eharrison at mail.mesd.k12.or.us
Mon Jan 30 01:48:28 UTC 2006
On Sun, 29 Jan 2006, Glenn Arnold wrote:
> A little more research on how to troubleshoot this problem here is
> website I used there troubleshooting techniques.
> http://www.ldapguru.org/modules/newbb/viewtopic.php?topic_id=2793&forum=
> 6&post_id=8373#forumpost8373
> I know ldap is working, because I can run the following command:
> ldapsearch -x -LLL -h ldap1.example.com
> And I can see all the LDAP users. I know when I login as root I can
> goto home and see all the user from the remote servers nfs share. I
> need to get this resolve tonight or my K12LTSP project at this school
> might get the axe.
>
> Thanks
> -Glenn
>
> -----Original Message-----
> From: Glenn Arnold
> Sent: Sunday, January 29, 2006 5:32 PM
> To: Support list for opensource software in schools.
> Subject: RE: [K12OSN] LTSP 4.4.1 cannot authenicate to LDAP from GDM
> login
>
> Yes, I mean that I am able to connect to the remote home directory
> through NFS and see the user folder contents with ldap, but I can not
> login through GDM. Here is my system-auth contents.
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth required /lib/security/$ISA/pam_env.so
> auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok
> auth sufficient /lib/security/$ISA/pam_ldap.so use_first_pass
> auth required /lib/security/$ISA/pam_deny.so
>
> account required /lib/security/$ISA/pam_unix.so broken_shadow
> account sufficient /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_ldap.so
> account required /lib/security/$ISA/pam_permit.so
>
> password requisite /lib/security/$ISA/pam_cracklib.so retry=3
> password sufficient /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password sufficient /lib/security/$ISA/pam_ldap.so use_authtok
> password required /lib/security/$ISA/pam_deny.so
>
> session required /lib/security/$ISA/pam_limits.so
> session required /lib/security/$ISA/pam_unix.so
> session optional /lib/security/$ISA/pam_ldap.so
> "system-auth" 21L, 1120C
>
> Thanks
> -Glenn
>
> -----Original Message-----
> From: Julian Yap [mailto:julian_yap at yahoo.com]
> Sent: Sunday, January 29, 2006 3:31 PM
> To: Support list for opensource software in schools.
> Subject: Re: [K12OSN] LTSP 4.4.1 cannot authenicate to LDAP from GDM
> login
>
> On Sun, 2006-01-29 at 04:18 -0500, Glenn Arnold wrote:
>> I just installed LTSP 4.4.1 I cannot login through GDM with LDAP
>> account. The home drive shared through NFS on another server. I
>> setup LDAP with the Authentication app in GNOME. I can ssh in with no
>> problems and access the home directory with no problems. Any Ideas?
>>
>> -Glenn
Here are a couple debugging tips.
First, what is in the logs after a failed login?
/var/log/messages, /var/log/secure, /var/log/audit/audit.log are most
likely the interesting ones. There might be something of interest
in /var/log/gdm/:0.log
How I usually do this is ssh in a couple of times, running
"tail -f /var/log/messages" in the first shell, "tail -f /var/log/secure"
in the second, etc.
Second, does "su" work? Log in as a user via ssh and run "su -l yourusername"
(replace yourusername with your username, obviously ;-). It should prompt
you for your password and if all is fine you'll just get another command
prompt.
Third, the only other files besides /etc/pam.d/system-auth (your
system-auth file looks ok to me) is /etc/pam.d/gdm and /etc/ldap.conf
/etc/pam.d/gdm should look like this:
#%PAM-1.0
auth required pam_env.so
auth required pam_stack.so service=system-auth
auth required pam_nologin.so
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_stack.so service=system-auth
session optional pam_console.so
/etc/ldap.conf is filled full of comments. This command will extract
just the juicy stuff, excluding the LDAP admin password if one is
set (be sure to double check the output for anything sensitive!)
grep -v ^\# /etc/ldap.conf | strings | grep -v bindpw
The contents of this file vary depending on your configuration.
Mine looks something like this:
host ldap.mesd.k12.or.us
base dc=mesd,dc=k12,dc=or,dc=us
scope sub
nss_base_passwd ou=staff,dc=mesd,dc=k12,dc=or,dc=us?sub
nss_base_shadow ou=staff,dc=mesd,dc=k12,dc=or,dc=us?sub
nss_base_group ou=groups,dc=mesd,dc=k12,dc=or,dc=us?sub
ssl no
pam_password md5
Finally, the "getent" command is very useful, it tells you what the
system really thinks the valid passwd and group information is.
getent passwd
getent group
-Eric
More information about the K12OSN
mailing list