LDAP+Kerberos in Solaris 8

From: rmanin@ime.unicamp.br
Date: Mon May 31 2004 - 11:43:50 EDT

• Next message: Rohit Kumar: "Help"
• Previous message: McKinlay, Ken: "SUMMARY: Limiting IP addresses in chroot environment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi!

I'm setting up a LDAP+Kerberos environment, with:
- LDAP server: OpenLDAP 2.1.22
- KDC: MIT Kerberos 1.3.1
- LDAP & Kerberos clients: default from Solaris 8 distribution

I installed all Public patches recommended by PatchPro expert (including
108993-33).

Problem is:

When I try to log in with a user which exists at local passwd/shadow file,
it authenticates ok at my kerberos server and all works fine.

But, when I try to log in with a user from LDAP, it gets the kerberos
ticket, but reports a "user not found" error - and I can not log in. My
pam_debug file logs:

----------
May 31 12:32:05 navarone login: [ID 123153 auth.debug] PAM[1384]:
pam_set_item(291d0:user)
May 31 12:32:08 navarone login: [ID 123153 auth.debug] PAM[1384]:
pam_set_item(291d0:authtok)
May 31 12:32:08 navarone last message repeated 1 time
May 31 12:32:08 navarone login: [ID 215406 auth.debug] PAM[1384]:
pam_authenticate(291d0, 0): error No account present for user
May 31 12:32:08 navarone login: [ID 896952 auth.debug] pam_unix_auth:
entering pam_sm_authenticate()
May 31 12:32:08 navarone login: [ID 219349 auth.debug] pam_unix_auth: user
rmanin not found
May 31 12:32:08 navarone login: [ID 215406 auth.debug] PAM[1384]:
pam_authenticate(291d0, 0): error No account present for user
May 31 12:32:08 navarone login: [ID 341892 auth.debug] PAM[1384]:
pam_putenv(291d0, KRB5CCNAME=FILE:/tmp/krb5cc_60014)
May 31 12:32:08 navarone login: [ID 123153 auth.debug] PAM[1384]:
pam_set_item(291d0:authtok)
May 31 12:32:12 navarone login: [ID 123153 auth.debug] PAM[1384]:
pam_set_item(291d0:user)
May 31 12:32:12 navarone login: [ID 123153 auth.debug] PAM[1384]:
pam_set_item(291d0:ruser)
----------

But 'finger', 'id', 'listusers' - all of them gets users from LDAP maps
with no problems:

----------
Rodolfo@navarone:[/etc]# finger rmanin
Login name: rmanin In real life: Rodolfo Broco Manin
Directory: /home/adm/inf/rmanin Shell: /bin/csh
Never logged in.
No unread mail
No Plan.
Rodolfo@navarone:[/etc]#
----------

What is wrong?

My pam.conf file is:

----------
# PAM configuration
#
# Authentication management
#
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth sufficient pam_unix_auth.so.1 debug
#
# Account management
#
other account requisite pam_roles.so.1
other account required pam_projects.so.1
other account sufficient pam_unix_account.so.1
other account sufficient pam_ldap.so.1
#
# Session management
#
other session sufficient pam_unix_session.so.1
other session sufficient pam_ldap.so.1
#
# Password management
#
other password required pam_dhkeys.so.1
other password requisite pam_authtok_get.so.1
other password requisite pam_authtok_check.so.1
other password required pam_authtok_store.so.1
#
# Support for Kerberos V5 authentication (uncomment to use Kerberos)
#
other auth sufficient pam_krb5.so.1 try_first_pass
other account sufficient pam_krb5.so.1
other session sufficient pam_krb5.so.1
other password optional pam_krb5.so.1 try_first_pass
----------

My /etc/nsswitch.conf:

----------
passwd: files ldap
group: files ldap
hosts: files dns
ipnodes: files
networks: files
protocols: files
rpc: files
ethers: files
netmasks: files
bootparams: files
publickey: files
netgroup: files
automount: files ldap
aliases: files
services: files
sendmailvars: files
printers: user files
auth_attr: files
prof_attr: files
project: files
----------

My krb5.conf:

----------
[libdefaults]
        ticket_lifetime = 8h 0m 0s
        default_realm = IME.UNICAMP.BR
        default_tgs_enctypes = des-cbc-crc

[realms]
        IME.UNICAMP.BR = {
                kdc = kerberos.ime.unicamp.br
                admin_server = kerberos.ime.unicamp.br
                default_domain = ime.unicamp.br
        }

[domain_realm]
        .ime.unicamp.br = IME.UNICAMP.BR
        ime.unicamp.br = IME.UNICAMP.BR

[logging]
        default = FILE:/var/krb5/kdc.log
        kdc = FILE:/var/krb5/kdc.log
        kdc_rotate = {
                period = 1d
                versions = 10
        }

[appdefaults]
        kinit = {
                renewable = true
                forwardable= true
        }
---------

And my ldap_client_file looks like...

---------
#
# Do not edit this file manually; your changes will be lost.Please use
ldapclient (1M) instead.
#
NS_LDAP_FILE_VERSION= 1.0
NS_LDAP_SERVERS= 143.106.77.100:389
NS_LDAP_SEARCH_BASEDN= dc=ime,dc=unicamp,dc=br
NS_LDAP_AUTH= NS_LDAP_AUTH_SIMPLE
NS_LDAP_SEARCH_REF= NS_LDAP_FOLLOWREF
NS_LDAP_DOMAIN= ime.unicamp.br
NS_LDAP_SEARCH_DN= passwd:(ou=People,dc=ime,dc=unicamp,dc=br)
NS_LDAP_SEARCH_DN= shadow:(ou=People,dc=ime,dc=unicamp,dc=br)
NS_LDAP_SEARCH_SCOPE= NS_LDAP_SCOPE_SUBTREE
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 3600
---------

Tnks in advice!!

[]s!
Rodolfo
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Rohit Kumar: "Help"
• Previous message: McKinlay, Ken: "SUMMARY: Limiting IP addresses in chroot environment"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:28:45 EDT