From owner-freebsd-stable@FreeBSD.ORG Mon Mar 28 16:26:32 2011 Return-Path: Delivered-To: stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 207EB1065674 for ; Mon, 28 Mar 2011 16:26:32 +0000 (UTC) (envelope-from mamalos@eng.auth.gr) Received: from vergina.eng.auth.gr (vergina.eng.auth.gr [155.207.18.1]) by mx1.freebsd.org (Postfix) with ESMTP id 91CDB8FC13 for ; Mon, 28 Mar 2011 16:26:31 +0000 (UTC) Received: from mamalacation.ee.auth.gr (mamalacation.ee.auth.gr [155.207.33.29]) by vergina.eng.auth.gr (8.14.3/8.14.3) with ESMTP id p2SGQTCt025658 for ; Mon, 28 Mar 2011 19:26:30 +0300 (EEST) (envelope-from mamalos@eng.auth.gr) Message-ID: <4D90B6B0.80902@eng.auth.gr> Date: Mon, 28 Mar 2011 19:26:24 +0300 From: George Mamalakis User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110109 Lightning/1.0b2 Thunderbird/3.1.7 MIME-Version: 1.0 To: stable@freebsd.org References: <4D8B5501.5090802@eng.auth.gr> <4D904A31.8090107@eng.auth.gr> In-Reply-To: <4D904A31.8090107@eng.auth.gr> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: nsswitch problems X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Mar 2011 16:26:32 -0000 On 28/03/2011 11:43, George Mamalakis wrote: > On 24/03/2011 16:28, George Mamalakis wrote: >> Hello everybody, >> >> In short: >> >> nsswitch seems not to honor (fully) the criteria and actions of >> nsswitch.conf. A detailed analysis of my problem can be found on this >> thread (it's on freebsd forums, and it hasn't been answered yet): >> >> http://forums.freebsd.org/showthread.php?t=22716 >> >> Thank you all for your time and help in advance, >> >> I hope that somebody will help me realize how nsswitch works, so as >> to see if and how caching may help me on an nss_ldap authenticated >> configuration, >> >> regards, >> >> mamalos >> > > Anybody having an idea on what might be wrong with the nsswitch > mechanism? > > Have I used the wrong mailing list? Should I have used > freebsd-questions instead? > > Thank you all for your time in advance. > > mamalos > Hmm, I found two more problems with nsswitch, regarding su(1) this time: 1) If I use SASL authentication in nss_ldap, then when I try to: $ su - Password: # On /var/log/messages I get the error: Mar 28 18:17:03 mamalacation su: GSSAPI Error: Miscellaneous failure (see text) (open(/tmp/krb5cc_1001): No such file or directory^B) Mar 28 18:17:03 mamalacation su: nss_ldap: could not search LDAP server - Server is unavailable which is a bit peculiar, since 1001 is my default user (mamalos), and it seems that su(1) tries to find a principal with a uid=1001 when it tries to access nsswitch information, instead of using the sasl_authid user from /usr/local/etc/nss_ldap.conf. If I use binddn=blabla, then everything works just fine. 2) When my /etc/nsswitch.conf reads: hosts: ldap files group: ldap files and I run: $ id mamalos uid=1001(mamalos) gid=513(Domain Users) groups=513(Domain Users),512(Domain Admins),0(wheel),814(puppet) we see that mamalos is a member of the wheel group. But when I try to su(1) to root I get a "BAD SU mamalos to root" in /var/log/messages. When my /etc/nsswitch.conf reads: hosts: files ldap group: files ldap and I run: $ id mamalos uid=1001(mamalos) gid=1001(mamalos) groups=1001(mamalos),0(wheel),814(puppet),512(Domain Admins) then, suing to root works just fine. The same holds when I run id(1) (with no arguments); in that case, the system replies with the information it finds in the first resource (ldap on the first example, file on the second) and stops. That said, I come into two separate conclusions: 1) SASL authentication in nss_ldap doesn't seem to be fully functional. 2) It seems that some commands call functions that honor the criteria/actions fields of /etc/nsswitch.conf, while other commands call functions that don't (like the id and getent). Any comments on these issues are welcome, mamalos -- George Mamalakis IT Officer Electrical and Computer Engineer (Aristotle Un. of Thessaloniki), MSc (Imperial College of London) Department of Electrical and Computer Engineering Faculty of Engineering Aristotle University of Thessaloniki phone number : +30 (2310) 994379