LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 08-11-2011, 05:32 AM   #1
doqc1
LQ Newbie
 
Registered: Jul 2011
Posts: 6

Rep: Reputation: Disabled
libnss-ldap: users not being assigned the correct loginshell


Hi, was wondering if anyone can point me in the right direction as to what's going wrong here.

The following is with Debian Squeeze..
I have a kerberos KDC which uses LDAP to store it's DB (set up similar to this howto: http://www.rjsystems.nl/en/2100-d6-k...p-provider.php) and the clients set up similar to this: http://www.rjsystems.nl/en/2100-d6-k...dap-client.php
(basically using libnss-ldap and ldap over GSSAPI with libpam-krb5 pam modules).

So when a user logs into a client in the realm, libnss-ldap should query the kdc/ldap server for the uid/gid and loginshell etc.
/etc/nsswitch.conf has the following set:
Code:
passwd:         compat ldap
group:          compat ldap
shadow:         compat ldap
This works mostly fine and a user, say newuser, can log into a client where no newuser exists locally, only on the kdc/ldap server, the home directory will be created and all is mostly OK.

But what is happening is that the loginshell is not being set correctly.

Once logged in, the user is assigned /bin/sh where the ldap loginshell entry is /bin/bash eg.

Code:
$ echo $SHELL
/bin/sh

$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: newuser@DOMAIN.CO.UK
SASL SSF: 56
SASL data security layer installed.
dn:uid=newuser,ou=people,dc=domain,dc=co,dc=uk

$ ldapsearch -LLL uid=newuser
SASL/GSSAPI authentication started
SASL username: newuser@DOMAIN.CO.UK
SASL SSF: 56
SASL data security layer installed.
dn: uid=newuser,ou=people,dc=domain,dc=co,dc=uk
uid: newuser
uidNumber: 20001
gidNumber: 20001
cn: newuser_firstname
sn: newuser_surname
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/newuser
Now this does eventually seem to sort itself out and starts assigning a bash shellat some seemly random point in the future.. but I've not managed to pin down what changes when it does.

Can anyone suggest any routes for investigation?
 
Old 08-11-2011, 07:14 AM   #2
doqc1
LQ Newbie
 
Registered: Jul 2011
Posts: 6

Original Poster
Rep: Reputation: Disabled
I see what is causing this now... just in case anyone comes up against the problem:

If I did a "getent passwd newuser" while logged in as newuser using the newuser@DOMAIN.CO.UK ticket on the client I get:
Code:
newuser:x:20001:20001:newuser_firstname:/home/newuser:/bin/bash
However if logged in as root and using the host ticket host/client2.domain.co.uk@DOMAIN.CO.UK and issued "getent passwd newuser" I could see loginshell was missing:
Code:
newuser:x:20001:20001:newuser_firstname:/home/newuser:
Since the NSS would try to access the user info via the host ticket, it'll have the same problem.

The HOWTO's ldap access lists include:
Code:
olcAccess: to attrs=loginShell
  by self write
  by * none
I made the following change and it now works:

Code:
olcAccess: to attrs=loginShell
  by self write
  by * read
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Apache authentication: allow LDAP group OR user named guest, but not all LDAP users AlucardZero Linux - Server 1 05-25-2011 04:21 PM
Squid users assigned to different ISPs? mauxiliar Linux - Server 0 11-29-2010 02:02 PM
Openssh + PAM + LDAP fails only with LDAP users asimula Linux - Newbie 2 04-01-2010 08:10 AM
I want to override loginShell value from LDAP server bellman Linux - Newbie 2 03-08-2007 12:29 AM
Changing assigned TTY for logged in users karnick Linux - General 0 03-02-2005 06:13 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Software

All times are GMT -5. The time now is 05:59 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration