I think during my configuration with LDAP, nss, and Samba as a PDC, I hit every conceivable snag:)
The second login prompt was appearing due to my not fully reading the pam_ldap man page:) Within my system-auth file for pam, I needed to add use_first_pass as an option under ldap's authentication module and use_authtok as an option for ldap's password module. These options, "Authenticate to the directory by using the password that the user initially entered when the user authenticated to the first authentication module in the stack." I noticed that use_authtok option wasn't included in the man page, but is included in everyone's docs. Does anyone know for sure whether this affects the ldap password module? I was thinking of testing that out this weekend... By not including this option, I was telling the system to re-prompt me for the password. Duh... As an additional note, I found a LOT of how-to's on the web about this. A document I referenced from padl's site (can't find it now) stated to always list unix's module before ldap's. Not sure why that would matter--many how to's had it swapped. Tobias, thanks for your document by the way. I started with your how-to and continued to reference it throughout my learning process. One other question for any of you Samba experts out there. I came across a bug that was mentioned a few times regarding the PDC configuration. You have to set your computer accounts under people instead of under a separate organizational unit (i.e. computers). Anyone know why? Thanks, Kevin On Thu, 2004-07-29 at 09:34, Tobias Rice wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Kevin- > Cool! I'm glad to hear that you got it. What all, besides the kerb > flags, was wrong? Why were you having to log in twice? > I just pam/nss'd a system against M$'s active directory using SFU3.5. > Seems to be working just fine, believe it or not, using the map > commands. If you're interested, I'll send you the setup. > Tobias > > Kevin Williams wrote: > > | AH! I finally figured it out (Learned all about strace in the process:) > | ) > | > | As an FYI--if anyone out there is installing/using gentoo, and is > | thinking about kerberos, make sure you don't use both krb4 and kerberos > | (different distributors) in your use flags. The system gets confused as > | to which to use! > | > | Kevin > | > | On Sun, 2004-07-25 at 23:23, Kevin Williams wrote: > | > |>All, > |> > |>I'm hoping someone can point me in the right direction for solving this > |>issue. I'm trying to set up my NSS to use ldap via PAM (nss_ldap). From > |>all the docs, this should be a piece of cake. Not for me though! I'm > |>running on Gentoo Linux with OpenLdap 2.1.26 > |> > |>>From what I've read, I have to configure the following files: > |>1. /etc/ldap.conf > |>2. /etc/nsswitch.conf > |>3. /etc/pam.d/system-auth > |> > |>Here's what I put in each file: > |>ldap.conf: > |> > |>host 127.0.0.1 > |>base dc=tarity,dc=com > |>binddn cn=Manager,dc=tarity,dc=com > |>bindpw PASSWORD > |>pam_password exop > |>scope sub > |>nss_base_passwd ou=People,dc=tarity,dc=com > |>nss_base_shadow ou=People,dc=tarity,dc=com > |>nss_base_group ou=Group,dc=tarity,dc=com > |> > |>nsswitch.conf: > |>(modified these three lines) > |>passwd: files ldap > |>shadow: files ldap > |>group: files ldap > |>... > |> > |>etc/pam.d/system-auth (added the following lines) > |>auth sufficient /lib/security/pam_ldap.so > |>account sufficient /lib/security/pam_ldap.so > |>password sufficient /ib/security/pam_ldap.so use_first_pass use_authtok > |>session sufficient /lib/security/pam_ldap.so > |> > |>I've populated the LDAP database to be used as a windows domain > controller, > |>so I should have Domain and Administrator entries in the LDAP Database and > |>NOT in the group or passwd files. Testing the system, I SHOULD get > results > |>returned when I use this command: > |>getent group | grep Domain > |>getent passwd | grep Administrator > |> > |>I'm pretty sure it's a config issue since I don't have anything showing up > |>in my ldap log file. I don't have any log messages of the command at all > |>(which is why I'm now stumped)! Does anyone see a configuration error > that > |>I might have, or have any advice for troubleshooting this issue? > |> > |>On a side note...I now get 2 password fields whenever I su. > |>$su > |>Password: > |>Password: > |> > |>Would this be trying to authenticate via ldap, and then unix? I'm > guessing > |>this is due to a configuration change. When I make these changes, do > I need > |>to restart a daemon? > |> > |>Thanks! > |> > |>Kevin Williams > |> > |> > |>_______________________________________________ > |>PDXLUG mailing list > |>[EMAIL PROTECTED] > |>http://pdxlug.org/mailman/listinfo/pdxlug > | > | _______________________________________________ > | PDXLUG mailing list > | [EMAIL PROTECTED] > | http://pdxlug.org/mailman/listinfo/pdxlug > > - -- > - --------------------------------------------------- > ~ L I N U X .~. > ~ The Choice /V\ > ~ of a GNU /( )\ > ~ Generation ^^-^^ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (MingW32) > Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org > > iD8DBQFBCScg8SyNUqEG5J0RAnezAKC5UV9CDSrnpP5Y+Z7zomNfR6ustgCdE0H0 > nKar1LDEKHZvxSYPwYYF5DA= > =wZ8m > -----END PGP SIGNATURE----- > _______________________________________________ > PDXLUG mailing list > [EMAIL PROTECTED] > http://pdxlug.org/mailman/listinfo/pdxlug _______________________________________________ PDXLUG mailing list [EMAIL PROTECTED] http://pdxlug.org/mailman/listinfo/pdxlug
