Date: Sat, 7 Mar 2009 10:57:37 -0700 From: Tim Judd <tajudd@gmail.com> To: Joe Kraft <jvk-list@thekrafts.org> Cc: freebsd-questions@freebsd.org Subject: Re: kde/kdm + nsswitch + ldap = nologon Message-ID: <ade45ae90903070957n2be2cfefp67ca48e0ceb3e67b@mail.gmail.com> In-Reply-To: <gou24v$afh$1@ger.gmane.org> References: <gou24v$afh$1@ger.gmane.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft <jvk-list@thekrafts.org> wrote: > I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend. The > intent is to use ldap directly for FBSD clients and Samba for MS Windows > clients. > > The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is > setup and seems to be working fine, I can log in locally or through SSH > using the ldap accounts. > > I'm working on the first client which is a FBSD 7.1 machine. I can use > ldap to login on this machine, but I'm having issues with logging in using > kdm. I can see all the users both from local files and from ldap, but I > can't log in using either. Even when kdm won't allow a login, I can > <ctrl><alt><F8> and get a normal login shell and login with local or ldap > accounts. The ldap lines are included in my /etc/pam.d/kde file. > > If I remove ldap from the nsswitch.conf file it will start working with > local logins on kdm again. > > I ran into a bug report from last summer that appears to still be open with > exactly the same issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321 > ). > > Does anyone know a workaround or have a patch for the issue? I can provide > config files and such if anyone thinks it might help. > > Thanks, > Joe. > True SSO is accomplished by Kerberos. Your LDAP implementation is re-authenticating/re-authorizing on every service. I'm by NO means an expert with pam -- it confuses me, but there are some basic concepts that I think there might be missing in your setup. First question I've got is shouldn't you need to create the rules for kdm in a file called 'kdm' in pam? Second is that some options/arguments that pam can use such as USE_FIRST_PASS would probably help you here. Third is whether the sufficient/required column in the pam file is there. Now we have to deal weather kdm uses pam or nsswitch. And if it uses nsswitch, then we have to go through all that troubleshooting all over again. Or maybe it doesn't even have any concept to use alternate auth mechanisms other than just the local files... I'm only providing an insight to something your eyes may have overlooked. I hope this triggers something to get it working. G'luck
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ade45ae90903070957n2be2cfefp67ca48e0ceb3e67b>