Date: Sun, 08 Mar 2009 17:30:02 -0400 From: Joe Kraft <jvk-list@thekrafts.org> To: freebsd-questions@freebsd.org Subject: Re: kde/kdm + nsswitch + ldap = nologon Message-ID: <gp1d9o$lpv$1@ger.gmane.org> References: <gou24v$afh$1@ger.gmane.org> <ade45ae90903070957n2be2cfefp67ca48e0ceb3e67b@mail.gmail.com> <gouuq6$r12$1@ger.gmane.org> <ade45ae90903071859h4eae2486nb07a4146708c78c0@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I'd like to duplicate your setup none-the-less to learn. Can you provide > all the pam files, showconfig for the openldap and kdm-related port so I > can run with the same port? > > gdm offers pam integration by the description. I'd be looking at options > in pam, and making sure the console logins work off pam too to make the > comparison to apples to apples the same. > > Please give me the showconfig from the items above. Was going to send as an e-mail to keep the gigantic post off the list, but my mailer went stupid this morning... OK...we'll start with the server. Note that while I'm using the SASL portion of the port, I'm not using any of the SASL type functionality yet. Just incase you missed the part from the original post... I ran into a bug report from last summer that appears to still be open with exactly the same issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321). I get the same error messages and such, with any luck it's based on misconfiguration of something. I hope all of this helps. Joe. ============================ >From the ldap server: shadow# uname -a FreeBSD shadow.casa.local 6.3-STABLE FreeBSD 6.3-STABLE #1: Sat Apr 5 14:49:53 EDT 2008 joe@shadow.casa.local:/usr/obj/usr/src/sys/GENERIC i386 shadow# pkg_info |grep ldap nss_ldap-1.257 RFC 2307 NSS module openldap-sasl-client-2.4.11 Open source LDAP client implementation with SASL2 support openldap-sasl-server-2.4.11_2 Open source LDAP server implementation pam_ldap-1.8.4 A pam module for authenticating with LDAP shadow# cd /usr/ports/net/openldap24-server shadow# make showconfig ===> The following configuration options are available for openldap-sasl-server-2.4.11_2: SASL=on "With (Cyrus) SASL2 support" DNSSRV=off "With Dnssrv backend" PASSWD=off "With Passwd backend" PERL=off "With Perl backend" RELAY=off "With Relay backend" SHELL=off "With Shell backend (disables threading)" SOCK=off "With Sock backend" ODBC=off "With SQL backend" RLOOKUPS=off "With reverse lookups of client hostnames" SLP=off "With SLPv2 (RFC 2608) support" SLAPI=off "With Netscape SLAPI plugin API" TCP_WRAPPERS=on "With tcp wrapper support" BDB=on "With BerkeleyDB support" ACCESSLOG=off "With In-Directory Access Logging overlay" AUDITLOG=off "With Audit Logging overlay" CONSTRAINT=off "With Attribute Constraint overlay" DDS=off "Dynamic Directory Services overlay" DENYOP=off "With Deny Operation overlay" DYNGROUP=off "With Dynamic Group overlay" DYNLIST=off "With Dynamic List overlay" LASTMOD=off "With Last Modification overlay" MEMBEROF=off "With Reverse Group Membership overlay" PPOLICY=off "With Password Policy overlay" PROXYCACHE=off "With Proxy Cache overlay" REFINT=off "With Referential Integrity overlay" RETCODE=off "With Return Code testing overlay" RWM=off "With Rewrite/Remap overlay" SEQMOD=on "Sequential Modify overlay" SYNCPROV=on "With Syncrepl Provider overlay" TRANSLUCENT=off "With Translucent Proxy overlay" UNIQUE=off "With attribute Uniqueness overlay" VALSORT=off "With Value Sorting overlay" SMBPWD=off "With Samba Password hashes overlay" DYNAMIC_BACKENDS=on "Build dynamic backends" ===> Use 'make config' to modify these settings shadow# cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args # Load dynamic backend modules: modulepath /usr/local/libexec/openldap moduleload back_bdb ####################################################################### ####################################################################### ## BDB database definitions ####################################################################### ####################################################################### ########## main part ########################## database bdb directory /var/db/openldap-data suffix dc=casa,dc=local rootdn cn=Manager,dc=casa,dc=local rootpw {crypt}PasswordGoesHere ######## access control ##################### access to * by * write # users can authenticate and change their password access to attrs=userPassword,sambaNTPassword,sambaLMPassword,sambaPwdLastSet,sambaPwdMustChange,shadowLastChange,shadowMax by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by dn="cn=nssldap,ou=DSA,dc=casa,dc=local" write by self write by anonymous auth by * none # some attributes need to be readable anonymously so that 'id user' can answer correctly access to attrs=objectClass,entry,homeDirectory,uid,uidNumber,gidNumber,memberUid by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by * read # somme attributes can be writable by users themselves access to attrs=description,telephoneNumber,roomNumber,homePhone,loginShell,gecos,cn,sn,givenname by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by self write by * read # some attributes need to be writable for samba access to attrs=cn,sambaLMPassword,sambaNTPassword,sambaPwdLastSet,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaPwdCanChange,sambaPwdMustChange,sambaAcctFlags,displayName,sambaHomePath,sambaHomeDrive,sambaLogonScript,sambaProfilePath,description,sambaUserWorkstations,sambaPrimaryGroupSID,sambaDomainName,sambaMungedDial,sambaBadPasswordCount,sambaBadPasswordTime,sambaPasswordHistory,sambaLogonHours,sambaSID,sambaSIDList,sambaTrustFlags,sambaGroupType,sambaNextRid,sambaNextGroupRid,sambaNextUserRid,sambaAlgorithmicRidBase,sambaShareName,sambaOptionName,sambaBoolOption,sambaIntegerOption,sambaStringOption,sambaStringListoption by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by self read by * none # samba need to be able to create the samba domain account access to dn.base="dc=casa,dc=local" by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by * none # samba need to be able to create new users account access to dn="ou=accounts,ou=people,dc=casa,dc=local" by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by * none # samba need to be able to create new groups account access to dn="ou=group,dc=casa,dc=local" by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by * none # samba need to be able to create new computers account access to dn="ou=machine,dc=casa,dc=local" by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by dn="cn=smbldap-tools,ou=DSA,dc=casa,dc=local" write by * none access to dn="ou=Idmap,dc=casa,dc=local" by dn="cn=samba,ou=DSA,dc=casa,dc=local" write by * none access to * by * read ######## indices ############################ # Indices to maintain index objectClass eq #index cn eq,sub #index sn eq,sub index mail eq,sub #index uid eq ## More indices for samba index cn pres,sub,eq index sn pres,sub,eq index uid pres,sub,eq index displayName pres,sub,eq index uidNumber eq index gidNumber eq index memberUid eq index sambaSID eq index sambaPrimaryGroupSID eq index sambaDomainName eq index default sub ## End Samba indicies shadow# cat /etc/nsswitch.conf group: files ldap winbind hosts: files dns wins networks: files passwd: files ldap winbind shells: files shadow# cat nss_ldap.conf @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library. # # PADL Software # http://www.padl.com # host 127.0.0.1 base dc=casa,dc=local binddn cn=nssldap,ou=DSA,dc=casa,dc=local bindpw nssldappwd rootbinddn cn=Manager,dc=casa,dc=local scope sub #timelimit 30 #bind_timelimit 30 #bind_policy hard -----default, check to see if soft works better bind_policy soft #nss_connect_policy persist #idle_timelimit 3600 #nss_schema rfc2307bis # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. nss_base_passwd ou=accounts,ou=people,dc=casa,dc=local?one nss_base_passwd ou=machine,dc=casa,dc=local?one nss_base_shadow ou=accounts,ou=people,dc=casa,dc=local?one nss_base_group ou=group,dc=casa,dc=local?one #nss_base_hosts ou=Hosts,dc=casa,dc=local?one #nss_base_services ou=Services,dc=casa,dc=local?one #nss_base_networks ou=Networks,dc=casa,dc=local?one #nss_base_protocols ou=Protocols,dc=casa,dc=local?one #nss_base_rpc ou=Rpc,dc=casa,dc=local?one #nss_base_ethers ou=Ethers,dc=casa,dc=local?one #nss_base_netmasks ou=Networks,dc=casa,dc=local?ne #nss_base_bootparams ou=Ethers,dc=casa,dc=local?one #nss_base_aliases ou=Aliases,dc=casa,dc=local?one #nss_base_netgroup ou=Netgroup,dc=casa,dc=local?one shadow# cat ldap.conf # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP PAM module. # host 127.0.0.1 base dc=casa,dc=local binddn cn=nssldap,ou=DSA,dc=casa,dc=local bindpw nssldappwd rootbinddn cn=Manager,dc=casa,dc=local scope sub timelimit 30 ################################## ##### pam_ldap unique config ##### ################################## #pam_filter objectclass=posixAccount pam_login_attribute uid #pam_check_host_attr yes #pam_member_attribute uniquemember # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop shadow# cd /etc/pam.d shadow# ls README ftp ftpd gdm imap kde login other passwd pop3 rsh sshd su system telnetd xdm shadow# cat login # # $FreeBSD: src/etc/pam.d/login,v 1.16 2003/06/14 12:35:05 des Exp $ # # PAM configuration for the "login" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_self.so no_warn auth include system # account account requisite pam_securetty.so account include system # session session include system # password password include system shadow# cat system # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so try_first_pass ignore_authinfo_unavail auth required pam_unix.so try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass password sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass ignore_authinfo_unavail password required pam_unix.so no_warn try_first_pass shadow# cat other # # $FreeBSD: src/etc/pam.d/other,v 1.10 2003/04/30 21:57:54 markm Exp $ # # PAM configuration for the "other" service # # auth auth required pam_nologin.so no_warn auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn use_first_pass ignore_authinfo_unavail auth required pam_unix.so no_warn try_first_pass # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password password required pam_permit.so ================================ On the client I have: [root@slug etc]# uname -a FreeBSD slug.casa.local 7.1-STABLE FreeBSD 7.1-STABLE #4: Sun Feb 15 22:47:46 EST 2009 root@slug.home.local:/usr/obj/usr/src/sys/SLUG i386 [root@slug openldap24-server]# pkg_info |grep ldap nss_ldap-1.264_1 RFC 2307 NSS module openldap-sasl-client-2.4.13 Open source LDAP client implementation with SASL2 support pam_ldap-1.8.4 A pam module for authenticating with LDAP root@slug etc]# cat nss_ldap.conf # @(#)$Id: ldap.conf,v 2.47 2006/05/15 08:13:44 lukeh Exp $ # # This is the configuration file for the LDAP nameservice # switch library. # # PADL Software # http://www.padl.com # host 10.0.1.100 base dc=casa,dc=local binddn cn=nssldap,ou=DSA,dc=casa,dc=local bindpw nssldappwd rootbinddn cn=Manager,dc=casa,dc=local scope sub #timelimit 30 #bind_timelimit 30 #bind_policy hard -----default, check to see if soft works better bind_policy soft #nss_connect_policy persist #idle_timelimit 3600 #nss_schema rfc2307bis # RFC2307bis naming contexts # Syntax: # nss_base_XXX base?scope?filter # where scope is {base,one,sub} # and filter is a filter to be &'d with the # default filter. nss_base_passwd ou=accounts,ou=people,dc=casa,dc=local?one nss_base_passwd ou=machine,dc=casa,dc=local?one nss_base_shadow ou=accounts,ou=people,dc=casa,dc=local?one nss_base_group ou=group,dc=casa,dc=local?one #nss_base_hosts ou=Hosts,dc=casa,dc=local?one #nss_base_services ou=Services,dc=casa,dc=local?one #nss_base_networks ou=Networks,dc=casa,dc=local?one #nss_base_protocols ou=Protocols,dc=casa,dc=local?one #nss_base_rpc ou=Rpc,dc=casa,dc=local?one #nss_base_ethers ou=Ethers,dc=casa,dc=local?one #nss_base_netmasks ou=Networks,dc=casa,dc=local?ne #nss_base_bootparams ou=Ethers,dc=casa,dc=local?one #nss_base_aliases ou=Aliases,dc=casa,dc=local?one #nss_base_netgroup ou=Netgroup,dc=casa,dc=local?one [root@slug etc]# cat ldap.conf # @(#)$Id: ldap.conf,v 1.38 2006/05/15 08:13:31 lukeh Exp $ # # This is the configuration file for the LDAP PAM module. # host 10.0.1.100 base dc=casa,dc=local binddn cn=nssldap,ou=DSA,dc=casa,dc=local bindpw nssldappwd rootbinddn cn=Manager,dc=casa,dc=local scope sub timelimit 30 #bind_timelimit 30 #bind_policy hard #idle_timelimit 3600 ################################## ##### pam_ldap unique config ##### ################################## #pam_filter objectclass=posixAccount pam_login_attribute uid #pam_check_host_attr yes #pam_member_attribute uniquemember # Use the OpenLDAP password change # extended operation to update the password. #pam_password exop [root@slug etc]# cat /etc/nsswitch.conf # # nsswitch.conf(5) - name service switch configuration file # $FreeBSD: src/etc/nsswitch.conf,v 1.1 2006/05/03 15:14:47 ume Exp $ # #group: files ldap group: files ldap winbind hosts: files dns wins networks: files #passwd: files passwd: files ldap winbind shells: files services: compat services_compat: nis protocols: files rpc: files [root@slug etc]# cat /etc/pam.d/login # # $FreeBSD: src/etc/pam.d/login,v 1.17 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "login" service # # auth auth sufficient pam_self.so no_warn #auth sufficient pam_winbind.so no_warn auth include system # account account requisite pam_securetty.so account required pam_nologin.so account include system # session session include system # password password include system [root@slug etc]# cat /etc/pam.d/system # # $FreeBSD: src/etc/pam.d/system,v 1.1 2003/06/14 12:35:05 des Exp $ # # System-wide defaults # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail auth required pam_unix.so no_warn try_first_pass nullok # account #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_lastlog.so no_fail # password #password sufficient pam_krb5.so no_warn try_first_pass #password sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail password required pam_unix.so no_warn try_first_pass [root@slug etc]# cat /etc/pam.d/kde # # $FreeBSD: src/etc/pam.d/kde,v 1.7 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "kde" service # # auth #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass #auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so #account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so [root@slug etc]# cat /etc/pam.d/other # # $FreeBSD: src/etc/pam.d/other,v 1.11 2007/06/10 18:57:20 yar Exp $ # # PAM configuration for the "other" service # # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local #auth sufficient pam_krb5.so no_warn try_first_pass #auth sufficient pam_ssh.so no_warn try_first_pass auth sufficient /usr/local/lib/pam_ldap.so no_warn try_first_pass ignore_authinfo_unavail auth required pam_unix.so no_warn try_first_pass # account account required pam_nologin.so #account required pam_krb5.so account required pam_login_access.so account sufficient /usr/local/lib/pam_ldap.so account required pam_unix.so # session #session optional pam_ssh.so session required pam_permit.so # password password required pam_permit.so root@slug etc]# pkg_info -W kdm /usr/local/bin/kdm was installed by package kdebase-3.5.10_1 [root@slug etc]# pkg_info -qo kdebase-3.5.10_1 x11/kdebase3 [root@slug etc]# cd /usr/ports/x11/kdebase3 [root@slug kdebase3]# make showconfig ===> The following configuration options are available for kdebase-3.5.10_2: ARTSWRAPPER=on "Suid wrapper for aRts, req'd for realtime prio" HAL=on "Use HAL backend for media:/" HTDIG=off "Depend on htdig, used to build manual indices" ===> Use 'make config' to modify these settings
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?gp1d9o$lpv$1>