Hi, was wondering if anyone can point me in the right direction as to what's going wrong here.
The following is with Debian Squeeze..
I have a kerberos KDC which uses LDAP to store it's DB (set up similar to this howto:
http://www.rjsystems.nl/en/2100-d6-k...p-provider.php) and the clients set up similar to this:
http://www.rjsystems.nl/en/2100-d6-k...dap-client.php
(basically using libnss-ldap and ldap over GSSAPI with libpam-krb5 pam modules).
So when a user logs into a client in the realm, libnss-ldap should query the kdc/ldap server for the uid/gid and loginshell etc.
/etc/nsswitch.conf has the following set:
Code:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
This works mostly fine and a user, say newuser, can log into a client where no newuser exists locally, only on the kdc/ldap server, the home directory will be created and all is mostly OK.
But what is happening is that the loginshell is not being set correctly.
Once logged in, the user is assigned /bin/sh where the ldap loginshell entry is /bin/bash eg.
Code:
$ echo $SHELL
/bin/sh
$ ldapwhoami
SASL/GSSAPI authentication started
SASL username: newuser@DOMAIN.CO.UK
SASL SSF: 56
SASL data security layer installed.
dn:uid=newuser,ou=people,dc=domain,dc=co,dc=uk
$ ldapsearch -LLL uid=newuser
SASL/GSSAPI authentication started
SASL username: newuser@DOMAIN.CO.UK
SASL SSF: 56
SASL data security layer installed.
dn: uid=newuser,ou=people,dc=domain,dc=co,dc=uk
uid: newuser
uidNumber: 20001
gidNumber: 20001
cn: newuser_firstname
sn: newuser_surname
objectClass: top
objectClass: person
objectClass: posixAccount
objectClass: shadowAccount
loginShell: /bin/bash
homeDirectory: /home/newuser
Now this does eventually seem to sort itself out and starts assigning a bash shellat some seemly random point in the future.. but I've not managed to pin down what changes when it does.
Can anyone suggest any routes for investigation?