NSCD and LDAP
I'm having a tough time trying to find an explanation for the following behaviour, maybe someone here can point me in the right direction.
I have configured a system (centos5 2.6.18-53.el5 x64) to authenticate against AD using kerberos and use LDAP for user/group info. If NSCD is running, I can login as any user in my LDAP tree, if it isn't, I can't.
binddn cn=Access Account,ou=Staff,dc=pcitest2,dc=com
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member
It's very likely i've mis-configured and or mis-understood something, but I so would love to understand! Man pages and google haven't really come up with anything...help would be much appreciated.
The program nscd is just a cache daemon to speedy up queries/searches for user name, host lookup, etc.
My be without this cache the authentication program timesout and the login is denied.
Take a look at /etc/nsswitch.conf.
This configuration file tells to resolver which is the order for searches in several sources.
Try to put ldap as first source in passwd entry (I assume ldap already is there, just put it as first entry)
Now, if you can log in without nscd them is because ldap was answering first and no time outs are occurring.
...but I am just guessing :)
Thanks for replying. I realise what NSCD is used for, the problem I'm having is that I can't figure out why it has to be running to perform certain functions.
For example, without it running I *can* log in using kerberos and ldap but I cannot su to another user, I get:
Jul 7 08:37:21 localhost su: pam_unix(su-l:session): session opened for user paul.mccartney by john.lennon(uid=10003)
Jul 7 08:37:22 localhost su: pam_keyinit(su-l:session): Unable to change UID back to 0
Jul 7 08:37:22 localhost su: pam_unix(su-l:session): session closed for user john.lennon
If NSCD is running, I can su...I am having trouble spotting config errors.
There is probably something wrong with my PAM config:
auth required pam_env.so
auth sufficient pam_krb5.so use_first_pass use_shmem=sshd
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_krb5.so
account required pam_permit.so
password requisite pam_cracklib.so retry=3
password sufficient pam_krb5.so use_authtok
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so external use_shmem=sshd
I don't think is a PAM related issue.
I already had a similar problem a long time ago and it was related to the authentication timeout. At that time I solved using nscd; the time to get a valid answer was smaller and then the authentication completes on time.
Did you try to put ldap in front of list of /etc/nsswitch.conf, just to test ?
Jul 8 08:08:32 localhost su: pam_limits(su-l:session): reading settings from '/etc/security/limits.conf'
Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session opened for user root by paul.mccartney(uid=10001)
Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session closed for user root
Nothing else of consequence is logged in messages. What could be timing out? LDAP queries? Whether I query files first and ldap afterwards or vice-versa, it makes no difference. In the log excerpt above, I'm trying to su to root. Authentication is successful as if I try to su - and type a wrong password I get:
Jul 8 08:26:12 localhost su: pam_unix(su-l:auth): authentication failure; logname=paul.mccartney uid=10001 euid=0 tty=pts/3 ruser=paul.mccartney rhost= user=root
Thanks for the suggestions though...
For reference, got a little further with this. It has something to do with "ssl yes" in ldap.conf. Set it to "ssl no" and we can su to our hearts content...
Good to know !
But how is it related to nscd running or not ? :scratch:
Anyway, I 'm glad you figure out how to login in.
This thread could be a reference for someone in the future, for sure.
thanks for closing the thread.
If you are a RHEL or CentOS user, there was a bug in nss_ldap that was causing this behavior. The package nss_ldap-253-13.el5_2.1.i386.rpm fixed it for me and a bugfix advisory was put out two days ago (RHBA-2008:0611-3).
Hope that helps you!
Sir, I take my hat off to you. I upgraded the package as directed and everything works like a charm. I can finally put this one to bed!
|All times are GMT -5. The time now is 08:00 AM.|