Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to make my server work with accounts on my ldap but i can't seem to make a connection with the server. So that if i ssh into the server i can use my ldap-account.
I'm running Debian squeeze on the client, the ldap server is still a Debian lenny that has been set up a few years ago by a friend.
This is the /var/log/auth error i got:
Code:
Jan 11 13:45:39 server1 nscd: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server krbtgt/servername not found in Kerberos database)
Jan 11 13:45:39 server1 nscd: nss_ldap: failed to bind to LDAP server ldap://<ip ldap server>: Local error
Jan 11 13:45:39 server1 nscd: nss_ldap: could not search LDAP server - Server is unavailable
When i do nmap -p 389 <ip ldap server> i get this:
PORT STATE SERVICE
389/tcp open ldap
/etc/ssh/sshd_config
Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 4800
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes
AllowUsers root user1 guest
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication yes
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
# GSSAPI options
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
given there's an error from nss_ldap it's got nothing at all to do with ssh nor pam. You should be aware of what is or is not relevant.... restating your question, you can't retrieve user accounts via ldap.
So it says the server isn't reachable... is it? It's a pretty basic error, suggesting it's just not even possible to telnet to port 389 on that box. Have you tested any smaller component of this solution before you expected everything to work together? to have gotten as far as you say you have, you should've have already proven the ldap server with tools like ldapsearch and getent. Don't run before you can walk.
given there's an error from nss_ldap it's got nothing at all to do with ssh nor pam. You should be aware of what is or is not relevant.... restating your question, you can't retrieve user accounts via ldap.
So it says the server isn't reachable... is it? It's a pretty basic error, suggesting it's just not even possible to telnet to port 389 on that box. Have you tested any smaller component of this solution before you expected everything to work together? to have gotten as far as you say you have, you should've have already proven the ldap server with tools like ldapsearch and getent. Don't run before you can walk.
I'm able to telnet to 389 and even if i do ldapsearch -x it gives a list of all the users in the ldap
so "getent passwd" presumably doesn't work either? What if you disable nscd?
getent passwd also works (shows a list) and if i stop the nscd service and try to login with an ldap account it gives the same error message in auth.log
So you'll be getting the exact same error there, and need to work at that level.
Ahh right... so here's something... you've listed /etc/ldap/ldap.conf but not /etc/ldap.conf. These are actually *TOTALLY* different files (the former is used by ldapsearch and other tools, the latter by nss), so you'll have something in /etc/ldapc.fon which is presumably attempting the wrong authentication method. do you actually want to be using kerberos? I'd generally presume you don't want to...? turn that off in /etc/ldap.conf and try getent passwd again.
So you'll be getting the exact same error there, and need to work at that level.
Ahh right... so here's something... you've listed /etc/ldap/ldap.conf but not /etc/ldap.conf. These are actually *TOTALLY* different files (the former is used by ldapsearch and other tools, the latter by nss), so you'll have something in /etc/ldapc.fon which is presumably attempting the wrong authentication method. do you actually want to be using kerberos? I'd generally presume you don't want to...? turn that off in /etc/ldap.conf and try getent passwd again.
mmm i don't have a /etc/ldap.conf but i do have a /etc/libnss-ldap.conf i'll turn kerberos off in that. It's a file from my first try to connect to the ldap cause the ldap server also has kerberos service running so i thought that maybe my client also needed one.
Hmm, probably just a change in the built package, it's probably the same file inside. I know that since nslcd replaced nscd in RHEL6, the file it uses, nslcd.conf is unique, with pam using pam_ldap.conf but before this change, all systems I'd used used ldap.conf for both systems, which presumably coudl cause problems or limitations, so a libnss_ldap.conf file makes sense to me.
mmm i don't have a /etc/ldap.conf but i do have a /etc/libnss-ldap.conf i'll turn kerberos off in that. It's a file from my first try to connect to the ldap cause the ldap server also has kerberos service running so i thought that maybe my client also needed one.
Weird sudo suddenly stopped working. Nothing i did last thing i did was read the auth.log which needs sudo to read. It still asks for a password but it says: Sorry, try again. And when i try a new ssh session it's "connection closed by <ip>"
well sudo will rely on the nss stack aswell, so if nscd is still shutdown, start it. nscd shouldn't be essential though, it's only meant to be a caching layer that's bypassed if it's not available (and was often more trouble than it was worth)
well sudo will rely on the nss stack aswell, so if nscd is still shutdown, start it. nscd shouldn't be essential though, it's only meant to be a caching layer that's bypassed if it's not available (and was often more trouble than it was worth)
You have to be sudo to start nscd damn. I can't do a thing if i'm not able to sudo or su to root, should i try recovery mode or a live cd to try and fix something?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.