[K12OSN] LTSP 4.4.1 cannot authenicate to LDAP from GDM login

Eric Harrison eharrison at mail.mesd.k12.or.us
Mon Jan 30 01:48:28 UTC 2006 

On Sun, 29 Jan 2006, Glenn Arnold wrote:

> A little more research on how to troubleshoot this problem here is
> website I used there troubleshooting techniques.
> http://www.ldapguru.org/modules/newbb/viewtopic.php?topic_id=2793&forum=
> 6&post_id=8373#forumpost8373
> I know ldap is working, because I can run the following command:
> ldapsearch -x -LLL -h ldap1.example.com
> And I can see all the LDAP users.  I know when I login as root I can
> goto home and see all the user from the remote servers nfs share.  I
> need to get this resolve tonight or my K12LTSP project at this school
> might get the axe.
>
> Thanks
> -Glenn
>
> -----Original Message-----
> From: Glenn Arnold
> Sent: Sunday, January 29, 2006 5:32 PM
> To: Support list for opensource software in schools.
> Subject: RE: [K12OSN] LTSP 4.4.1 cannot authenicate to LDAP from GDM
> login
>
> Yes, I mean that I am able to connect to the remote home directory
> through NFS and see the user folder contents with ldap, but I can not
> login through GDM. Here is my system-auth contents.
>
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
>
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account     [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_ldap.so
> account     required      /lib/security/$ISA/pam_permit.so
>
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok
> use_authtok md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
>
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
> "system-auth" 21L, 1120C
>
> Thanks
> -Glenn
>
> -----Original Message-----
> From: Julian Yap [mailto:julian_yap at yahoo.com]
> Sent: Sunday, January 29, 2006 3:31 PM
> To: Support list for opensource software in schools.
> Subject: Re: [K12OSN] LTSP 4.4.1 cannot authenicate to LDAP from GDM
> login
>
> On Sun, 2006-01-29 at 04:18 -0500, Glenn Arnold wrote:
>> I just installed LTSP 4.4.1 I cannot login through GDM with LDAP
>> account.  The home drive shared through NFS on another server.  I
>> setup LDAP with the Authentication app in GNOME.  I can ssh in with no
>> problems and access the home directory with no problems.  Any Ideas?
>>
>> -Glenn

Here are a couple debugging tips.

First, what is in the logs after a failed login?

/var/log/messages, /var/log/secure, /var/log/audit/audit.log are most
likely the interesting ones. There might be something of interest
in /var/log/gdm/:0.log

How I usually do this is ssh in a couple of times, running
"tail -f /var/log/messages" in the first shell, "tail -f /var/log/secure"
in the second, etc.

Second, does "su" work? Log in as a user via ssh and run "su -l yourusername"
(replace yourusername with your username, obviously ;-). It should prompt
you for your password and if all is fine you'll just get another command
prompt.


Third, the only other files besides /etc/pam.d/system-auth (your
system-auth file looks ok to me) is /etc/pam.d/gdm and /etc/ldap.conf

/etc/pam.d/gdm should look like this:

   #%PAM-1.0
   auth       required     pam_env.so
   auth       required     pam_stack.so service=system-auth
   auth       required     pam_nologin.so
   account    required     pam_stack.so service=system-auth
   password   required     pam_stack.so service=system-auth
   session    required     pam_stack.so service=system-auth
   session    optional     pam_console.so


/etc/ldap.conf is filled full of comments. This command will extract
just the juicy stuff, excluding the LDAP admin password if one is
set (be sure to double check the output for anything sensitive!)

    grep -v ^\# /etc/ldap.conf | strings | grep -v bindpw


The contents of this file vary depending on your configuration.

Mine looks something like this:

   host ldap.mesd.k12.or.us
   base dc=mesd,dc=k12,dc=or,dc=us
   scope sub
   nss_base_passwd         ou=staff,dc=mesd,dc=k12,dc=or,dc=us?sub
   nss_base_shadow         ou=staff,dc=mesd,dc=k12,dc=or,dc=us?sub
   nss_base_group          ou=groups,dc=mesd,dc=k12,dc=or,dc=us?sub
   ssl no
   pam_password md5



Finally, the "getent" command is very useful, it tells you what the
system really thinks the valid passwd and group information is.

 	getent passwd
 	getent group


-Eric

More information about the K12OSN mailing list