LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices

Reply
 
Search this Thread
Old 07-04-2008, 10:22 AM   #1
Rowley
Member
 
Registered: Jul 2008
Distribution: Solaris 10, OpenSolaris, CentOS 5
Posts: 40

Rep: Reputation: 15
Question NSCD and LDAP


Hi

I'm having a tough time trying to find an explanation for the following behaviour, maybe someone here can point me in the right direction.

I have configured a system (centos5 2.6.18-53.el5 x64) to authenticate against AD using kerberos and use LDAP for user/group info. If NSCD is running, I can login as any user in my LDAP tree, if it isn't, I can't.

My /etc/ldap.conf:

host 192.168.201.62
base dc=PCITest2,dc=com
uri ldap://192.168.201.62/
uri ldaps://pcitestdc2.pcitest2.com/

binddn cn=Access Account,ou=Staff,dc=pcitest2,dc=com
bindpw SomePass
scope sub

timelimit 30
bind_timelimit 30
idle_timelimit 3600
referrals no

nss_base_passwd ou=Staff,dc=PCITest2,dc=com?sub
nss_base_shadow ou=Staff,dc=PCITest2,dc=com?sub
nss_base_group ou=Staff,dc=PCITest2,dc=com?sub

nss_initgroups_ignoreusers root,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_attribute uid sAMAccountName
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute shadowLastChange pwdLastSet
nss_map_objectclass posixGroup group
nss_map_attribute uniqueMember member

pam_login_attribute sAMAccountName
pam_filter objectclass=User
pam_password ad
pam_groupdn ou=Staff,dc=PCITest2,dc=com?sub

ssl yes
tls_certdir /etc/openldap/cacerts



It's very likely i've mis-configured and or mis-understood something, but I so would love to understand! Man pages and google haven't really come up with anything...help would be much appreciated.

Last edited by Rowley; 07-04-2008 at 10:44 AM. Reason: Included OS version
 
Old 07-04-2008, 12:18 PM   #2
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
The program nscd is just a cache daemon to speedy up queries/searches for user name, host lookup, etc.
My be without this cache the authentication program timesout and the login is denied.

Take a look at /etc/nsswitch.conf.
This configuration file tells to resolver which is the order for searches in several sources.
Try to put ldap as first source in passwd entry (I assume ldap already is there, just put it as first entry)

Now, if you can log in without nscd them is because ldap was answering first and no time outs are occurring.

...but I am just guessing
 
Old 07-07-2008, 02:50 AM   #3
Rowley
Member
 
Registered: Jul 2008
Distribution: Solaris 10, OpenSolaris, CentOS 5
Posts: 40

Original Poster
Rep: Reputation: 15
Thanks for replying. I realise what NSCD is used for, the problem I'm having is that I can't figure out why it has to be running to perform certain functions.

For example, without it running I *can* log in using kerberos and ldap but I cannot su to another user, I get:

Jul 7 08:37:21 localhost su: pam_unix(su-l:session): session opened for user paul.mccartney by john.lennon(uid=10003)
Jul 7 08:37:22 localhost su: pam_keyinit(su-l:session): Unable to change UID back to 0
Jul 7 08:37:22 localhost su: pam_unix(su-l:session): session closed for user john.lennon


If NSCD is running, I can su...I am having trouble spotting config errors.
There is probably something wrong with my PAM config:

auth required pam_env.so
auth sufficient pam_krb5.so use_first_pass use_shmem=sshd
auth sufficient pam_unix.so likeauth nullok
auth required pam_deny.so

account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 100 quiet
account required pam_krb5.so
account required pam_permit.so

password requisite pam_cracklib.so retry=3
password sufficient pam_krb5.so use_authtok
password sufficient pam_unix.so nullok use_authtok md5 shadow
password required pam_deny.so

session required pam_mkhomedir.so skel=/etc/skel umask=0077
session required pam_limits.so
session required pam_unix.so
session optional pam_krb5.so external use_shmem=sshd


...

...

:-(
 
Old 07-07-2008, 06:01 AM   #4
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
I don't think is a PAM related issue.
I already had a similar problem a long time ago and it was related to the authentication timeout. At that time I solved using nscd; the time to get a valid answer was smaller and then the authentication completes on time.

Did you try to put ldap in front of list of /etc/nsswitch.conf, just to test ?
 
Old 07-08-2008, 02:30 AM   #5
Rowley
Member
 
Registered: Jul 2008
Distribution: Solaris 10, OpenSolaris, CentOS 5
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by marozsas View Post
Did you try to put ldap in front of list of /etc/nsswitch.conf, just to test ?
Yep, sorry. Should have mentioned that I tried that yesterday. From /var/log/secure:

Jul 8 08:08:32 localhost su: pam_limits(su-l:session): reading settings from '/etc/security/limits.conf'
Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session opened for user root by paul.mccartney(uid=10001)
Jul 8 08:08:32 localhost su: pam_unix(su-l:session): session closed for user root


Nothing else of consequence is logged in messages. What could be timing out? LDAP queries? Whether I query files first and ldap afterwards or vice-versa, it makes no difference. In the log excerpt above, I'm trying to su to root. Authentication is successful as if I try to su - and type a wrong password I get:

Jul 8 08:26:12 localhost su: pam_unix(su-l:auth): authentication failure; logname=paul.mccartney uid=10001 euid=0 tty=pts/3 ruser=paul.mccartney rhost= user=root


Thanks for the suggestions though...
 
Old 07-11-2008, 09:50 AM   #6
Rowley
Member
 
Registered: Jul 2008
Distribution: Solaris 10, OpenSolaris, CentOS 5
Posts: 40

Original Poster
Rep: Reputation: 15
For reference, got a little further with this. It has something to do with "ssl yes" in ldap.conf. Set it to "ssl no" and we can su to our hearts content...
 
Old 07-11-2008, 10:11 AM   #7
marozsas
Senior Member
 
Registered: Dec 2005
Location: Campinas/SP - Brazil
Distribution: SuSE, RHEL, Fedora, Ubuntu
Posts: 1,393
Blog Entries: 1

Rep: Reputation: 63
Good to know !
But how is it related to nscd running or not ?

Anyway, I 'm glad you figure out how to login in.
This thread could be a reference for someone in the future, for sure.

thanks for closing the thread.
 
Old 07-13-2008, 08:37 AM   #8
Rowley
Member
 
Registered: Jul 2008
Distribution: Solaris 10, OpenSolaris, CentOS 5
Posts: 40

Original Poster
Rep: Reputation: 15
Quote:
Originally Posted by marozsas View Post
Good to know !
But how is it related to nscd running or not ?

Anyway, I 'm glad you figure out how to login in.
This thread could be a reference for someone in the future, for sure.

thanks for closing the thread.
Absolutely no idea. Get my ssl ldap config sorted and I'll be happy, although i'd love to understand how having nscd running helps. Maybe one day it will all become clear...who knows? Until then, if anyone would like a crack at this one, please have a go. I'll be watching this space.
 
Old 07-30-2008, 02:18 PM   #9
pluto01
LQ Newbie
 
Registered: Jul 2008
Posts: 1

Rep: Reputation: 0
Lightbulb

Quote:
Originally Posted by Rowley View Post
Absolutely no idea. Get my ssl ldap config sorted and I'll be happy, although i'd love to understand how having nscd running helps. Maybe one day it will all become clear...who knows? Until then, if anyone would like a crack at this one, please have a go. I'll be watching this space.
Thank you for pointing at ldap! I was having a very similar problem and your post gave me a eureka moment.

If you are a RHEL or CentOS user, there was a bug in nss_ldap that was causing this behavior. The package nss_ldap-253-13.el5_2.1.i386.rpm fixed it for me and a bugfix advisory was put out two days ago (RHBA-2008:0611-3).

Hope that helps you!
 
Old 07-31-2008, 03:11 AM   #10
Rowley
Member
 
Registered: Jul 2008
Distribution: Solaris 10, OpenSolaris, CentOS 5
Posts: 40

Original Poster
Rep: Reputation: 15
Thumbs up

Sir, I take my hat off to you. I upgraded the package as directed and everything works like a charm. I can finally put this one to bed!

/hugs pluto01
/hugs internet
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
nscd keeps shutting down uid0sd Linux - Software 1 04-01-2008 11:16 AM
Nscd... Aggravated Suse/Novell 3 04-29-2007 03:12 AM
Thunderbird and NSCD... Aggravated Linux - Desktop 0 04-18-2007 12:34 PM
I need to run NSCD mikedeatworld Linux - Software 1 12-04-2003 11:39 PM
nscd Loke Linux - General 1 01-18-2003 03:29 PM


All times are GMT -5. The time now is 07:20 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration