From owner-freebsd-questions@FreeBSD.ORG Sun Mar 8 02:59:33 2009 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7B1B106566C for ; Sun, 8 Mar 2009 02:59:33 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: from mail-gx0-f176.google.com (mail-gx0-f176.google.com [209.85.217.176]) by mx1.freebsd.org (Postfix) with ESMTP id 585B38FC0C for ; Sun, 8 Mar 2009 02:59:33 +0000 (UTC) (envelope-from tajudd@gmail.com) Received: by gxk24 with SMTP id 24so2293558gxk.19 for ; Sat, 07 Mar 2009 18:59:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=D282agGvBnJIfof7pMnk4vWy1xXwpfLTfpHqHmKsmWM=; b=m74QIy9B0M/56BPhJwxIZhkILYyCoeUwNMSnTtvEFxePUE7KbT0gzlgS3T5DK6ZTQJ 3ZhsWxgAAuCBCoeXPmGQ+nVL3xMHdmvqAnoieZVp21g+U+AIv6PqwkdrzhDiKMVI22Zh v7Q3/tuq1HofYNn9ynrFeIkO/4CxolviFfCEY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=VxTNfLKtgQThp4xhqZxbYmLfLajcuOQ07yJhs57Qwcfs7h7RsQfzLPwEec/YncCT2k ilwk2ogg5itEyYUbnt2wpKfgYihHRgayo0WznIHl30Hc3gW0eXCNANC4I5mQ8Z1GLQAF oCEdfNdArVOu16VO37Ex3jNywoIgayC6IOuUI= MIME-Version: 1.0 Received: by 10.231.20.2 with SMTP id d2mr1124233ibb.37.1236481172616; Sat, 07 Mar 2009 18:59:32 -0800 (PST) In-Reply-To: References: Date: Sat, 7 Mar 2009 19:59:32 -0700 Message-ID: From: Tim Judd To: jvk-list@thekrafts.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: Re: kde/kdm + nsswitch + ldap = nologon X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Mar 2009 02:59:34 -0000 On Sat, Mar 7, 2009 at 4:10 PM, Joe Kraft wrote: > Tim Judd wrote: > > > On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft > wrote: > > > >> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The > >> intent is to use ldap directly for FBSD clients and Samba for MS Windows > >> clients. > >> > >> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is > >> setup and seems to be working fine, I can log in locally or through SSH > >> using the ldap accounts. > >> > >> I'm working on the first client which is a FBSD 7.1 machine. I can use > >> ldap to login on this machine, but I'm having issues with logging in > >> using > >> kdm. I can see all the users both from local files and from ldap, but I > >> can't log in using either. Even when kdm won't allow a login, I can > >> and get a normal login shell and login with local or > ldap > >> accounts. The ldap lines are included in my /etc/pam.d/kde file. > >> > >> If I remove ldap from the nsswitch.conf file it will start working with > >> local logins on kdm again. > >> > >> I ran into a bug report from last summer that appears to still be open > >> with exactly the same issue > >> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 ). > >> > >> Does anyone know a workaround or have a patch for the issue? I can > >> provide config files and such if anyone thinks it might help. > >> > >> Thanks, > >> Joe. > >> > > > > > > True SSO is accomplished by Kerberos. Your LDAP implementation is > > re-authenticating/re-authorizing on every service. > > > > I'm by NO means an expert with pam -- it confuses me, but there are some > > basic concepts that I think there might be missing in your setup. > > > > First question I've got is shouldn't you need to create the rules for kdm > > in a file called 'kdm' in pam? > > > > Second is that some options/arguments that pam can use such as > > USE_FIRST_PASS would probably help you here. > > > > Third is whether the sufficient/required column in the pam file is there. > > > > Now we have to deal weather kdm uses pam or nsswitch. And if it uses > > nsswitch, then we have to go through all that troubleshooting all over > > again. Or maybe it doesn't even have any concept to use alternate auth > > mechanisms other than just the local files... > > > > > > > > I'm only providing an insight to something your eyes may have overlooked. > > > > I hope this triggers something to get it working. G'luck > > > Thanks for the thoughts, I had Kerberos set up once when I was going the > other way...with all clients working through an AD domain. I'm trying to > go the other way now and get everything working through a Samba Domain. I > might look into it again in the future once I get the basics working. > > I thought maybe I had it when you mentioned creating rules for kdm instead > of kde in pam. Unfortunately it didn't work. > > kdm seems to use nsswitch to get the names, because if I use the > line "passwd: files ldap" in nsswitch.conf kdm shows me all the ldap users > as well as the local users with their icons down the left side of the login > window. I just can't use them to login, no matter what I do it tells me my > password is invalid. I can't even get it to login with a local account > from 'files'. What I can do is drop to one of the other ttys and use an > accounts with the same password that failed in kdm to login. I'm using the > same pam file for login as I am for kde (and now kdm). > > All I have to do is change the line to "passwd: files" and I can login > again > with the local accounts through kdm again. > > Certainly doesn't make sense to me right now... > > Joe. > I'd like to duplicate your setup none-the-less to learn. Can you provide all the pam files, showconfig for the openldap and kdm-related port so I can run with the same port? I use gnome at the moment, so here's what I did.. $ pkg_info -W gdm /usr/local/sbin/gdm was installed by package gdm-2.20.8 $ pkg_info -qo gdm-2.20.8 x11/gdm $ cd /usr/ports/x11/gdm $ make showconfig ===> The following configuration options are available for gdm-2.20.8: IPV6=off (default) "Enable IPv6 support" KEYRING=on (default) "Enable GnomeKeyring/PAM integration" LOG_LIMIT=on (default) "Limit ~/.xsession-errors size" ===> Use 'make config' to modify these settings gdm offers pam integration by the description. I'd be looking at options in pam, and making sure the console logins work off pam too to make the comparison to apples to apples the same. Please give me the showconfig from the items above.