From owner-freebsd-questions@FreeBSD.ORG Sat Mar 7 17:57:38 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D801C1065672 for ; Sat, 7 Mar 2009 17:57:38 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248]) by mx1.freebsd.org (Postfix) with ESMTP id 944B98FC27 for ; Sat, 7 Mar 2009 17:57:38 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: by an-out-0708.google.com with SMTP id b38so474336ana.13 for ; Sat, 07 Mar 2009 09:57:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=peLEwprEhMoPvVouRwnB+DZU0/eBxKuq0aeckZptQEs=; b=rIorT3rVRdI1LO2bffu/xOfzpm1C5Nb90mNIEbguH0KgiqKoH/Vn/nJ8oFr1/h0+gI 8/1dzK6GXlt1Rz5KW6vuApDkwi1xN42OSUwpVcNkUEdXATsJJFgJZF9IlM0juOzrF9Ss cBcqWwYvAjrc5l2CLrbobQfF++BbnoysWZT0o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=oa2u6C5Cw1ZjdfV0nBD+NYM6dWzOf8NUJFeGmUOPQKYVBXB12bTsK0eYNvBzfb7zQF gxHzlYoCPARgDSGO6uW93imnzcP/HIDCuA18ZgzvREtjgbStemNxdgqV8Tfbv1nhM0Ro 4wcyvdqaVJg0w7ji4JtunDQZBV1IGMppUjoqg= MIME-Version: 1.0 Received: by 10.231.10.140 with SMTP id p12mr1054231ibp.12.1236448657511; Sat, 07 Mar 2009 09:57:37 -0800 (PST) In-Reply-To: References: Date: Sat, 7 Mar 2009 10:57:37 -0700 Message-ID: From: Tim Judd To: Joe Kraft Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: kde/kdm + nsswitch + ldap = nologon X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Mar 2009 17:57:39 -0000 On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft wrote: > I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The > intent is to use ldap directly for FBSD clients and Samba for MS Windows > clients. > > The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is > setup and seems to be working fine, I can log in locally or through SSH > using the ldap accounts. > > I'm working on the first client which is a FBSD 7.1 machine. I can use > ldap to login on this machine, but I'm having issues with logging in using > kdm. I can see all the users both from local files and from ldap, but I > can't log in using either. Even when kdm won't allow a login, I can > and get a normal login shell and login with local or ldap > accounts. The ldap lines are included in my /etc/pam.d/kde file. > > If I remove ldap from the nsswitch.conf file it will start working with > local logins on kdm again. > > I ran into a bug report from last summer that appears to still be open with > exactly the same issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 > ). > > Does anyone know a workaround or have a patch for the issue? I can provide > config files and such if anyone thinks it might help. > > Thanks, > Joe. > True SSO is accomplished by Kerberos. Your LDAP implementation is re-authenticating/re-authorizing on every service. I'm by NO means an expert with pam -- it confuses me, but there are some basic concepts that I think there might be missing in your setup. First question I've got is shouldn't you need to create the rules for kdm in a file called 'kdm' in pam? Second is that some options/arguments that pam can use such as USE_FIRST_PASS would probably help you here. Third is whether the sufficient/required column in the pam file is there. Now we have to deal weather kdm uses pam or nsswitch. And if it uses nsswitch, then we have to go through all that troubleshooting all over again. Or maybe it doesn't even have any concept to use alternate auth mechanisms other than just the local files... I'm only providing an insight to something your eyes may have overlooked. I hope this triggers something to get it working. G'luck