Cannot ID LDAP User On LDAP Client

[revzalot]

I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP server. I've install the following:

sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db nscd ldap-utils pam_ccreds


Here's my /etc/nsswitch.conf:

passwd: files ldap [NOTFOUND=return] db

group: files ldap [NOTFOUND=return] db

shadow: files ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

I can nss_updatedb ldap succssfully:
# nss_updatedb ldap
passwd... done.
group... done.

I can getent passwd, getent passwd shadow, getent group just fine and they all show all my ldap users.


However, I cannot do an id ldapuser

ex:
$ id tony
id: tony: No such user

Here's my auth.log:

Dec 1 21:08:17 webdev120 sshd[14765]: pam_unix(sshd:auth): check pass; user unknown

Here's my syslog:

sshd[14648]: Libgcrypt warning: missing initialization - please fix the application

Here's my /etc/pam.d/commoun-auth:

auth [success=4 default=ignore] pam_unix.so nullok_secure
auth [success=3 default=ignore] pam_ldap.so use_first_pass
auth [success=2 default=ignore] pam_ccreds.so minimum_uid=1000 action=validate use_first_pass
auth [default=ignore] pam_ccreds.so minimum_uid=1000 action=update
# here's the fallback if no module succeeds
#auth requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
#auth required pam_permit.so
# and here are more per-package modules (the "Additional" block)
auth optional pam_ccreds.so minimum_uid=1000 action=store
# end of pam-auth-update config

Here's my /etc/pam.d/common-account:

# here are the per-package modules (the "Primary" block)
account [success=2 new_authtok_reqd=done default=ignore] pam_unix.so
account [success=1 default=ignore] pam_ldap.so
# here's the fallback if no module succeeds
account requisite pam_deny.so
# prime the stack with a positive return value if there isn't one already;
# this avoids us returning an error just because nothing sets a success code
# since the modules above will each just jump around
account required pam_permit.so
# and here are more per-package modules (the "Additional" block)
# end of pam-auth-update config

ID works just fine with my local users on my local machine so somehow it's not able to read the ldap users.


Any insights appreciated.

Here's my test on my ldap user 'tony'
root@webtest111:/etc/pam.d# id tony
id: tony: No such user
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# getent passwd |grep tony
tony:1005:10000:Tony Montana:/home/tony:/bin/bash
root@webtest111:/etc/pam.d# /etc/init.d/nscd stop
* Stopping Name Service Cache Daemon nscd [ OK ]
root@webtest111:/etc/pam.d# getent passwd |grep tony
tony:1005:10000:Tony Montana:/home/tony:/bin/bash
root@webtest111:/etc/pam.d# getent passwd tony
root@webtest111:/etc/pam.d# id tony
id: tony: No such user

SOLVED: I added ldapns.schema to enable host based authentication and the users before the schema upgrade caused this caching to stop. I added a new after the schema upgrade and all is well.

[TSJason]

Do you have nscd running? What does your /etc/ldap.conf (or /etc/ldap/ldap.conf) look like?

[revzalot]

Yes I have ncsd running and then disabled but still id does not work.

Here's my /etc/ldap.conf:

Code:

cat /etc/ldap.conf | grep -v ^# | grep -v ^$
base dc=example,dc=com
uri ldapi:///10.112.18.2
ldap_version 3
rootbinddn cn=admin,dc=example,dc=com
bind_policy soft 
pam_check_host_attr yes
pam_password md5

[TSJason]

You might try defining nss_base_passwd, nss_base_shadow, and nss_base_group in your ldap.conf. And keep nscd running

[revzalot]

Ok I turned ncsd back on but id still doesn't work.

Code:

cat /etc/ldap.conf | grep -v ^# | grep -v ^$
base dc=example,dc=com
uri ldap://10.112.18.2
ldap_version 3
bindpw secret
rootbinddn cn=admin,dc=example,dc=com
bind_policy soft 
pam_check_host_attr yes
pam_password md5
nss_base_passwd        ou=People,dc=example,dc=com
nss_base_shadow        ou=People,dc=example,dc=com?one
nss_base_group        ou=Groups,dc=example,dc=com?one

On another machine, tried this howto after purging the above above packages.

http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2

sudo apt-get install libnss-ldapd libpam-ldapd

Still the same outcome. I can ldapsearch, getent, etc. but id cannot show the ldap users.

[TSJason]

well comparing your setup to mine (I'm using 10.04), I also setup the pam session file as well. My config file looks like this:

Code:

[open_ldap]
nss_passwd=passwd: files ldap
nss_group=group: files ldap
nss_shadow=shadow: files ldap
nss_netgroup=netgroup: ldap files 
nss_sudoers=sudoers: ldap files
pam_auth=auth       required     pam_env.so
        auth       sufficient   pam_unix.so likeauth nullok
        auth       required     pam_group.so use_first_pass
        auth       sufficient   pam_ldap.so use_first_pass
        auth       required     pam_deny.so
pam_account=account    sufficient   pam_unix.so
        account    sufficient   pam_ldap.so
        account    required     pam_deny.so
pam_password=password   sufficient   pam_unix.so nullok md5 shadow
        password   sufficient   pam_ldap.so use_first_pass
        password   required     pam_deny.so
pam_session=session    required     pam_limits.so
        session    required     pam_mkhomedir.so skel=/etc/skel/
        session    required     pam_unix.so
        session    optional     pam_ldap.so

I apply it with:

Code:

auth-client-config -a -p open_ldap

[revzalot]

Tried it but didn't budge.

Code:

root@webtest111:/etc/auth-client-config/profile.d# auth-client-config -a -p open_ldap
root@webtest111:/etc/auth-client-config/profile.d# id tony
id: tony: No such user
root@webtest111:/etc/auth-client-config/profile.d# nss_updatedb ldap
passwd... done.
group... done.
root@webtest111:/etc/auth-client-config/profile.d# getent passwd | grep tony
tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash
root@webtest111:/etc/auth-client-config/profile.d# id tony
id: tony: No such user
root@webtest111:/etc/auth-client-config/profile.d#

[revzalot]

NSCD daemon is the culprit. Here's the error when I do id tony:

Code:

 nscd -d
Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257
Thu 02 Dec 2010 02:18:18 PM PST - 14248:     GETFDPW
Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for passwd
Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received (Version = 2) from PID 14257
Thu 02 Dec 2010 02:18:18 PM PST - 14248:     GETPWBYNAME (tony)
Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password cache!
Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password cache!
Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony"
Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received (Version = 2) from PID 14258

Here's my nscd.conf file:

Code:

cat /etc/nscd.conf | grep -v ^# | grep -v ^$
    debug-level        0
    paranoia        no
    enable-cache        passwd        yes
    positive-time-to-live    passwd        600
    negative-time-to-live    passwd        20
    suggested-size        passwd        211
    check-files        passwd        yes
    persistent        passwd        yes
    shared            passwd        yes
    max-db-size        passwd        33554432
    auto-propagate        passwd        yes
    enable-cache        group        yes
    positive-time-to-live    group        3600
    negative-time-to-live    group        60
    suggested-size        group        211
    check-files        group        yes
    persistent        group        yes
    shared            group        yes
    max-db-size        group        33554432
    auto-propagate        group        yes
    enable-cache        hosts        no
    positive-time-to-live    hosts        3600
    negative-time-to-live    hosts        20
    suggested-size        hosts        211
    check-files        hosts        yes
    persistent        hosts        yes
    shared            hosts        yes
    max-db-size        hosts        33554432
    enable-cache        services    yes
    positive-time-to-live    services    28800
    negative-time-to-live    services    20
    suggested-size        services    211
    check-files        services    yes
    persistent        services    yes
    shared            services    yes
    max-db-size        services    33554432

[luvshines]

But when nscd was off, still id command didn't work, right ?

So that can't be a possible culprit

Since you have rootbinddn mentioned in /etc/ldap.conf file, did you also put in the root bind passwd in /etc/ldap.secret ?

[revzalot]

But when nscd was off, still id command didn't work, right ?

So that can't be a possible culprit

Since you have rootbinddn mentioned in /etc/ldap.conf file, did you also put in the root bind passwd in /etc/ldap.secret ?

Yes to all the above. After making a new user id worked on that ldap user. Somehow the schema install prevent id from working with my old users.