Jeremiah Coleman wrote: > On Tue, 2007-09-18 at 13:53 -0700, Marc Sauton wrote: > >> Jeremiah Coleman wrote: >> >>> I'm trying to set up a Solaris 10 client with FDS (all my linux clients >>> are working beautifully), but authentication is acting very strange. >>> Monitoring the net traffic, I can see the Solaris system bind, search >>> for info about the username, get a normal response, but then it just >>> >>> >> Not sure for the "normal" reponse. >> > > The client asks for the posixAccount info, and gets all that is > available, then asks for the shadowAccount info, and gets the uid (same > as the linux clients). Repeats this a couple of times, then stops. > > >> If the rootbinddn in /etc/ldap.conf and associated pw or file >> permissions are correct, what about a "getent passwd" and logs or trace ? >> >>> unbinds. It never asks to authenticate a password. My configuration is >>> below. >>> > > I'm using Solaris 10 native, not OpenLDAP. No /etc/ldap.conf. Would I > be better off switching to OpenLDAP? getent passwd gives me a passwd > file list from the ldap server, with x instead of actual passwords. > If getent shows the non local uid's, the failed ssh login could be related to your pam client configuration or to a service not running on the client ? (client system logs should provide you some hints) M. > As for logs, I've been unable to find a way to get the authentication > stuff to log effectively. > > Thanks, > Jay > > >>> >>> >> May want to restart / sighup your sshd to get the last configurations. >> System logs and getent could confirm the uid is found, to eliminate the >> nss_ldap part. >> >>> Any help would be much appreciated. >>> >>> ldap_client_file: >>> NS_LDAP_FILE_VERSION= 2.0 >>> NS_LDAP_SERVERS= fds1.wherever.com >>> NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com >>> NS_LDAP_AUTH= simple >>> NS_LDAP_SEARCH_REF= TRUE >>> NS_LDAP_SEARCH_SCOPE= one >>> NS_LDAP_SEARCH_TIME= 30 >>> NS_LDAP_CACHETTL= 43200 >>> NS_LDAP_PROFILE= default >>> NS_LDAP_CREDENTIAL_LEVEL= proxy >>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one >>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one >>> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one >>> NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one >>> NS_LDAP_BIND_TIME= 2 >>> >>> /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not >>> all of that is configured on ldap as yet): >>> # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. >>> passwd: files ldap >>> group: files ldap >>> shadow: files ldap >>> >>> # consult /etc "files" only if ldap is down. >>> hosts: dns files ldap >>> >>> # Note that IPv4 addresses are searched for in all of the ipnodes databases >>> # before searching the hosts databases. >>> ipnodes: files >>> >>> networks: files >>> protocols: files >>> rpc: files >>> ethers: files >>> netmasks: files >>> bootparams: files >>> publickey: files >>> >>> netgroup: ldap >>> >>> automount: files ldap >>> aliases: files ldap >>> >>> # for efficient getservbyname() avoid ldap >>> services: files ldap >>> >>> printers: user files ldap >>> >>> auth_attr: files ldap >>> prof_attr: files ldap >>> >>> project: files ldap >>> >>> tnrhtp: files ldap >>> tnrhdb: files ldap >>> >>> >>> >>> >> Is it possible you are missing some entries in your /etc/pam.d/ for ssh >> on Solaris 10 ? >> >>> /etc/pam.conf: >>> # login service (explicit because of pam_dial_auth) >>> # >>> login auth required pam_ldap.so.1 >>> login auth requisite pam_authtok_get.so.1 >>> login auth required pam_dhkeys.so.1 >>> login auth required pam_unix_cred.so.1 >>> login auth required pam_unix_auth.so.1 >>> login auth required pam_dial_auth.so.1 >>> # >>> # rlogin service (explicit because of pam_rhost_auth) >>> # >>> rlogin auth sufficient pam_ldap.so.1 >>> rlogin auth sufficient pam_rhosts_auth.so.1 >>> rlogin auth requisite pam_authtok_get.so.1 >>> rlogin auth required pam_dhkeys.so.1 >>> rlogin auth required pam_unix_cred.so.1 >>> rlogin auth required pam_unix_auth.so.1 >>> # Default definitions for Authentication management >>> # Used when service name is not explicitly mentioned for authentication >>> # >>> other auth sufficient pam_ldap.so.1 >>> other auth requisite pam_authtok_get.so.1 >>> other auth required pam_dhkeys.so.1 >>> other auth required pam_unix_cred.so.1 >>> other auth required pam_unix_auth.so.1 >>> # >>> # passwd command (explicit because of a different authentication module) >>> # >>> passwd auth sufficient pam_ldap.so.1 >>> passwd auth required pam_passwd_auth.so.1 >>> # >>> # cron service (explicit because of non-usage of pam_roles.so.1) >>> # >>> cron account required pam_unix_account.so.1 >>> # >>> # Default definition for Account management >>> # Used when service name is not explicitly mentioned for account management >>> # >>> other account sufficient pam_ldap.so.1 >>> other account requisite pam_roles.so.1 >>> other account required pam_unix_account.so.1 >>> # >>> # Default definition for Session management >>> # Used when service name is not explicitly mentioned for session management >>> # >>> other session sufficient pam_ldap.so.1 >>> other session required pam_unix_session.so.1 >>> # >>> # Default definition for Password management >>> # Used when service name is not explicitly mentioned for password management >>> # >>> other password required pam_dhkeys.so.1 >>> other password requisite pam_authtok_get.so.1 >>> other password requisite pam_authtok_check.so.1 >>> other password required pam_authtok_store.so.1 >>> >>> >>> >>> >> -- >> Fedora-directory-users mailing list >> Fedora-directory-users at redhat.com >> https://www.redhat.com/mailman/listinfo/fedora-directory-users >>
