Date: Sat, 7 Mar 2009 19:59:32 -0700 From: Tim Judd <tajudd@gmail.com> To: jvk-list@thekrafts.org Cc: freebsd-questions@freebsd.org Subject: Re: kde/kdm + nsswitch + ldap = nologon Message-ID: <ade45ae90903071859h4eae2486nb07a4146708c78c0@mail.gmail.com> In-Reply-To: <gouuq6$r12$1@ger.gmane.org> References: <gou24v$afh$1@ger.gmane.org> <ade45ae90903070957n2be2cfefp67ca48e0ceb3e67b@mail.gmail.com> <gouuq6$r12$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 7, 2009 at 4:10 PM, Joe Kraft <jvk-list@thekrafts.org> wrote: > Tim Judd wrote: > > > On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft <jvk-list@thekrafts.org> > wrote: > > > >> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The > >> intent is to use ldap directly for FBSD clients and Samba for MS Windows > >> clients. > >> > >> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is > >> setup and seems to be working fine, I can log in locally or through SSH > >> using the ldap accounts. > >> > >> I'm working on the first client which is a FBSD 7.1 machine. I can use > >> ldap to login on this machine, but I'm having issues with logging in > >> using > >> kdm. I can see all the users both from local files and from ldap, but I > >> can't log in using either. Even when kdm won't allow a login, I can > >> <ctrl><alt><F8> and get a normal login shell and login with local or > ldap > >> accounts. The ldap lines are included in my /etc/pam.d/kde file. > >> > >> If I remove ldap from the nsswitch.conf file it will start working with > >> local logins on kdm again. > >> > >> I ran into a bug report from last summer that appears to still be open > >> with exactly the same issue > >> (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 ). > >> > >> Does anyone know a workaround or have a patch for the issue? I can > >> provide config files and such if anyone thinks it might help. > >> > >> Thanks, > >> Joe. > >> > > > > > > True SSO is accomplished by Kerberos. Your LDAP implementation is > > re-authenticating/re-authorizing on every service. > > > > I'm by NO means an expert with pam -- it confuses me, but there are some > > basic concepts that I think there might be missing in your setup. > > > > First question I've got is shouldn't you need to create the rules for kdm > > in a file called 'kdm' in pam? > > > > Second is that some options/arguments that pam can use such as > > USE_FIRST_PASS would probably help you here. > > > > Third is whether the sufficient/required column in the pam file is there. > > > > Now we have to deal weather kdm uses pam or nsswitch. And if it uses > > nsswitch, then we have to go through all that troubleshooting all over > > again. Or maybe it doesn't even have any concept to use alternate auth > > mechanisms other than just the local files... > > > > > > > > I'm only providing an insight to something your eyes may have overlooked. > > > > I hope this triggers something to get it working. G'luck > > > Thanks for the thoughts, I had Kerberos set up once when I was going the > other way...with all clients working through an AD domain. I'm trying to > go the other way now and get everything working through a Samba Domain. I > might look into it again in the future once I get the basics working. > > I thought maybe I had it when you mentioned creating rules for kdm instead > of kde in pam. Unfortunately it didn't work. > > kdm seems to use nsswitch to get the names, because if I use the > line "passwd: files ldap" in nsswitch.conf kdm shows me all the ldap users > as well as the local users with their icons down the left side of the login > window. I just can't use them to login, no matter what I do it tells me my > password is invalid. I can't even get it to login with a local account > from 'files'. What I can do is drop to one of the other ttys and use an > accounts with the same password that failed in kdm to login. I'm using the > same pam file for login as I am for kde (and now kdm). > > All I have to do is change the line to "passwd: files" and I can login > again > with the local accounts through kdm again. > > Certainly doesn't make sense to me right now... > > Joe. > I'd like to duplicate your setup none-the-less to learn. Can you provide all the pam files, showconfig for the openldap and kdm-related port so I can run with the same port? I use gnome at the moment, so here's what I did.. $ pkg_info -W gdm /usr/local/sbin/gdm was installed by package gdm-2.20.8 $ pkg_info -qo gdm-2.20.8 x11/gdm $ cd /usr/ports/x11/gdm $ make showconfig ===> The following configuration options are available for gdm-2.20.8: IPV6=off (default) "Enable IPv6 support" KEYRING=on (default) "Enable GnomeKeyring/PAM integration" LOG_LIMIT=on (default) "Limit ~/.xsession-errors size" ===> Use 'make config' to modify these settings gdm offers pam integration by the description. I'd be looking at options in pam, and making sure the console logins work off pam too to make the comparison to apples to apples the same. Please give me the showconfig from the items above.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ade45ae90903071859h4eae2486nb07a4146708c78c0>