|

»

»

wireshark shows successful ldap searches, but no nss or pam stuff works

View: New views

7 Messages — Rating Filter: Alert me

	wireshark shows successful ldap searches, but no nss or pam stuff works by philoertel () :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to authenticate people against our AD server. But I've broken everything. I can ssh and su as root. ssh as my regular user (who's both in ldap and /etc/passwd) just hangs. ssh or su as any user in ldap but not in /etc/passwd errors: "unknown id: test". getent passwd shows only users in /etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user> fails with id: <ldap-user>: No such user. libnss-ldap is installed, and strace shows su is checking nss, or at least it's opening the config files. According to wireshark, there's a lot of successful-looking ldap activity for each of these things. for both su poertel and id peortel there's a search for people with sAMAccountName=poertel, and there's one response. For getent password, there's a search for all people with objectclass=user, and all the results i would expect are returned. even my su <ldap-user> and id <ldap-user> generate ldap queries for that user, and the AD server sends the right result. Strangely though, for my ssh poertel, there's some extra ldap querying: search CN=Configuration (sAMAccountName=poertel), search DC=ForestDnsZones (same condition), DC=DomainDnsZones (same condition). None of those three queries come back with any results. My ssh <ldap-user> doesn't generate those extra queries. here are my configuration files for ldap and nss:ldap.conf libnss-ldap.conf nsswitch has passwd, shadow, and group set to "files ldap" This has been so confusing and difficult. Thanks for any advice.
	Re: wireshark shows successful ldap searches, but no nss or pam stuff works by Cove Schneider :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. I'm not sure your bases are quite right: nss_base_passwd ou=People, nss_base_shadow ou=People, nss_base_group ou=Groups, Maybe try: nss_base_passwd ou=People,dc=soliantconsulting,dc=com nss_base_shadow ou=People,dc=soliantconsulting,dc=com nss_base_group ou=Groups,dc=soliantconsulting,dc=com Also, you'll want rfc3407 enabled so the group memberships work: nss_schema rfc2307bis Lastly, you'll want to enable paging when using AD. Hope that helps, Cove From: philoertel <phillipao@...> To: nssldap@... Sent: Thursday, July 16, 2009 10:49:59 AM Subject: [nssldap] wireshark shows successful ldap searches, but no nss or pam stuff works I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to authenticate people against our AD server. But I've broken everything. I can ssh and su as root. ssh as my regular user (who's both in ldap and /etc/passwd) just hangs. ssh or su as any user in ldap but not in /etc/passwd errors: "unknown id: test". getent passwd shows only users in /etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user> fails with id: <ldap-user>: No such user. libnss-ldap is installed, and strace shows su is checking nss, or at least it's opening the config files. According to wireshark, there's a lot of successful-looking ldap activity for each of these things. for both su poertel and id peortel there's a search for people with sAMAccountName=poertel, and there's one response. For getent password, there's a search for all people with objectclass=user, and all the results i would expect are returned. even my su <ldap-user> and id <ldap-user> generate ldap queries for that user, and the AD server sends the right result. Strangely though, for my ssh poertel, there's some extra ldap querying: search CN=Configuration (sAMAccountName=poertel), search DC=ForestDnsZones (same condition), DC=DomainDnsZones (same condition). None of those three queries come back with any results. My ssh <ldap-user> doesn't generate those extra queries. here are my configuration files for ldap and nss: http://www.nabble.com/file/p24518891/ldap.conf ldap.conf http://www.nabble.com/file/p24518891/libnss-ldap.conf libnss-ldap.conf nsswitch has passwd, shadow, and group set to "files ldap" This has been so confusing and difficult. Thanks for any advice. -- View this message in context: http://www.nabble.com/wireshark-shows-successful-ldap-searches%2C-but-no-nss-or-pam-stuff-works-tp24518891p24518891.html Sent from the NSS LDAP mailing list archive at Nabble.com.
	Re: wireshark shows successful ldap searches, but no nss or pam stuff works by guillomovitch :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message philoertel a écrit : > I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to > authenticate people against our AD server. But I've broken everything. I can > ssh and su as root. ssh as my regular user (who's both in ldap and > /etc/passwd) just hangs. ssh or su as any user in ldap but not in > /etc/passwd errors: "unknown id: test". getent passwd shows only users in > /etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user> fails > with id: <ldap-user>: No such user. libnss-ldap is installed, and strace > shows su is checking nss, or at least it's opening the config files. Not really what you expect, but: - why do you have users both in local (/etc/passwd) and remote (ldap) databases ? - are you sure AD has enough informations to be used as a Unix account database ? More specifically, I don't think there is anything as gid and uid there... -- BOFH excuse #92: Stale file handle (next time use Tupperware(tm)!)
	Re: wireshark shows successful ldap searches, but no nss or pam stuff works by philoertel :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks for the responses! See I saw a post somewhere else suggesting there might be a problem with not having uid and gid. But I thought this was a common thing and there must be a way. I definitely don't have uid in AD. If I can get my AD admins to work with me, can I just add random uids (>1000)? I don't really understand why they have to be there for this to work, so I can't figure out if there's a reasonable workaround. I have users both local and remote because remote doesn't work! But I think this is the normal way right? Because root's always going to be local? And at any rate it shouldn't cause any problems. Guillaume Rousse wrote: philoertel a écrit : > I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to > authenticate people against our AD server. But I've broken everything. I can > ssh and su as root. ssh as my regular user (who's both in ldap and > /etc/passwd) just hangs. ssh or su as any user in ldap but not in > /etc/passwd errors: "unknown id: test". getent passwd shows only users in > /etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user> fails > with id: <ldap-user>: No such user. libnss-ldap is installed, and strace > shows su is checking nss, or at least it's opening the config files. Not really what you expect, but: - why do you have users both in local (/etc/passwd) and remote (ldap) databases ? - are you sure AD has enough informations to be used as a Unix account database ? More specifically, I don't think there is anything as gid and uid there... -- BOFH excuse #92: Stale file handle (next time use Tupperware(tm)!)
	Re: wireshark shows successful ldap searches, but no nss or pam stuff works by Douglas E. Engert :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message philoertel wrote: > Thanks for the responses! > > See I saw a post somewhere else suggesting there might be a problem with not > having uid and gid. But I thought this was a common thing and there must be > a way. I definitely don't have uid in AD. If I can get my AD admins to work > with me, can I just add random uids (>1000)? I don't really understand why > they have to be there for this to work, so I can't figure out if there's a > reasonable workaround. > > I have users both local and remote because remote doesn't work! But I think > this is the normal way right? Because root's always going to be local? And > at any rate it shouldn't cause any problems. > > > Guillaume Rousse wrote: >> philoertel a écrit : >>> I'm at wit's end. I'm trying to set up pam on my Debian 4.1.2 box to >>> authenticate people against our AD server. You may also want to look at treating authentication separate from authorization. You can then use Kerberos for authentication to AD, and do the authorization to local file, DIS, or LDAP either as a seperate server, or to AD. In this case the pam_krb5 is used, and nsswitch for password, and groups can use LDAP without using pam_ldap. Kerberos does not need the UID and GIDs, but the passwd and groups mapping do, so if you use LDAP to AD for authorization, AD will need the UID and GIDs. Google for: windows ldap uid gid and also look at Samba. But I've broken everything. I >>> can >>> ssh and su as root. ssh as my regular user (who's both in ldap and >>> /etc/passwd) just hangs. ssh or su as any user in ldap but not in >>> /etc/passwd errors: "unknown id: test". getent passwd shows only users in >>> /etc/passwd. id root works, id poertel (me) hangs, and id <ldap-user> >>> fails >>> with id: <ldap-user>: No such user. libnss-ldap is installed, and strace >>> shows su is checking nss, or at least it's opening the config files. >> Not really what you expect, but: >> - why do you have users both in local (/etc/passwd) and remote (ldap) >> databases ? >> - are you sure AD has enough informations to be used as a Unix account >> database ? More specifically, I don't think there is anything as gid and >> uid there... >> >> -- >> BOFH excuse #92: >> >> Stale file handle (next time use Tupperware(tm)!) >> >> > -- Douglas E. Engert <DEEngert@...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444
	Re: wireshark shows successful ldap searches, but no nss or pam stuff works by guillomovitch :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Douglas E. Engert a écrit : > > > philoertel wrote: >> Thanks for the responses! >> >> See I saw a post somewhere else suggesting there might be a problem >> with not >> having uid and gid. But I thought this was a common thing and there >> must be >> a way. I definitely don't have uid in AD. If I can get my AD admins to >> work >> with me, can I just add random uids (>1000)? I don't really understand >> why >> they have to be there for this to work, so I can't figure out if >> there's a >> reasonable workaround. I don't think you can freely add additional information in AD, tough I'm not an expert. Indeed, mapping information (login <-> uid) does not mandatorily have to be there. >> I have users both local and remote because remote doesn't work! But I >> think >> this is the normal way right? Because root's always going to be local? >> And >> at any rate it shouldn't cause any problems. It's fine to have local and remote users, provided they are distinct set of users. Otherwise, you're going into various kind of troubles. [..] > and also look at Samba. And more specifically at winbind.
	Re: wireshark shows successful ldap searches, but no nss or pam stuff works by Douglas E. Engert :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Guillaume Rousse wrote: > Douglas E. Engert a écrit : >> >> >> philoertel wrote: >>> Thanks for the responses! >>> >>> See I saw a post somewhere else suggesting there might be a problem >>> with not >>> having uid and gid. But I thought this was a common thing and there >>> must be >>> a way. I definitely don't have uid in AD. If I can get my AD admins >>> to work >>> with me, can I just add random uids (>1000)? I don't really >>> understand why >>> they have to be there for this to work, so I can't figure out if >>> there's a >>> reasonable workaround. > I don't think you can freely add additional information in AD, tough I'm > not an expert. Indeed, mapping information (login <-> uid) does not > mandatorily have to be there. See the Microsoft SFU that does provide for using AD for unix and ldap. I believe W 2003 has the schema built in. See these for more info: http://www.padl.com/Articles/ActiveDirectoryandtheNISL.html http://technet.microsoft.com/en-us/library/bb463150.aspx > >>> I have users both local and remote because remote doesn't work! But I >>> think >>> this is the normal way right? Because root's always going to be >>> local? And >>> at any rate it shouldn't cause any problems. > It's fine to have local and remote users, provided they are distinct set > of users. Otherwise, you're going into various kind of troubles. > > [..] >> and also look at Samba. > And more specifically at winbind. > > -- Douglas E. Engert <DEEngert@...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444