On Tue, 2007-09-18 at 13:53 -0700, Marc Sauton wrote: > Jeremiah Coleman wrote: > > I'm trying to set up a Solaris 10 client with FDS (all my linux clients > > are working beautifully), but authentication is acting very strange. > > Monitoring the net traffic, I can see the Solaris system bind, search > > for info about the username, get a normal response, but then it just > > > Not sure for the "normal" reponse. The client asks for the posixAccount info, and gets all that is available, then asks for the shadowAccount info, and gets the uid (same as the linux clients). Repeats this a couple of times, then stops. > If the rootbinddn in /etc/ldap.conf and associated pw or file > permissions are correct, what about a "getent passwd" and logs or trace ? > > unbinds. It never asks to authenticate a password. My configuration is > > below. I'm using Solaris 10 native, not OpenLDAP. No /etc/ldap.conf. Would I be better off switching to OpenLDAP? getent passwd gives me a passwd file list from the ldap server, with x instead of actual passwords. As for logs, I've been unable to find a way to get the authentication stuff to log effectively. Thanks, Jay > > > > > May want to restart / sighup your sshd to get the last configurations. > System logs and getent could confirm the uid is found, to eliminate the > nss_ldap part. > > Any help would be much appreciated. > > > > ldap_client_file: > > NS_LDAP_FILE_VERSION= 2.0 > > NS_LDAP_SERVERS= fds1.wherever.com > > NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com > > NS_LDAP_AUTH= simple > > NS_LDAP_SEARCH_REF= TRUE > > NS_LDAP_SEARCH_SCOPE= one > > NS_LDAP_SEARCH_TIME= 30 > > NS_LDAP_CACHETTL= 43200 > > NS_LDAP_PROFILE= default > > NS_LDAP_CREDENTIAL_LEVEL= proxy > > NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one > > NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one > > NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one > > NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one > > NS_LDAP_BIND_TIME= 2 > > > > /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not > > all of that is configured on ldap as yet): > > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group. > > passwd: files ldap > > group: files ldap > > shadow: files ldap > > > > # consult /etc "files" only if ldap is down. > > hosts: dns files ldap > > > > # Note that IPv4 addresses are searched for in all of the ipnodes databases > > # before searching the hosts databases. > > ipnodes: files > > > > networks: files > > protocols: files > > rpc: files > > ethers: files > > netmasks: files > > bootparams: files > > publickey: files > > > > netgroup: ldap > > > > automount: files ldap > > aliases: files ldap > > > > # for efficient getservbyname() avoid ldap > > services: files ldap > > > > printers: user files ldap > > > > auth_attr: files ldap > > prof_attr: files ldap > > > > project: files ldap > > > > tnrhtp: files ldap > > tnrhdb: files ldap > > > > > > > Is it possible you are missing some entries in your /etc/pam.d/ for ssh > on Solaris 10 ? > > /etc/pam.conf: > > # login service (explicit because of pam_dial_auth) > > # > > login auth required pam_ldap.so.1 > > login auth requisite pam_authtok_get.so.1 > > login auth required pam_dhkeys.so.1 > > login auth required pam_unix_cred.so.1 > > login auth required pam_unix_auth.so.1 > > login auth required pam_dial_auth.so.1 > > # > > # rlogin service (explicit because of pam_rhost_auth) > > # > > rlogin auth sufficient pam_ldap.so.1 > > rlogin auth sufficient pam_rhosts_auth.so.1 > > rlogin auth requisite pam_authtok_get.so.1 > > rlogin auth required pam_dhkeys.so.1 > > rlogin auth required pam_unix_cred.so.1 > > rlogin auth required pam_unix_auth.so.1 > > # Default definitions for Authentication management > > # Used when service name is not explicitly mentioned for authentication > > # > > other auth sufficient pam_ldap.so.1 > > other auth requisite pam_authtok_get.so.1 > > other auth required pam_dhkeys.so.1 > > other auth required pam_unix_cred.so.1 > > other auth required pam_unix_auth.so.1 > > # > > # passwd command (explicit because of a different authentication module) > > # > > passwd auth sufficient pam_ldap.so.1 > > passwd auth required pam_passwd_auth.so.1 > > # > > # cron service (explicit because of non-usage of pam_roles.so.1) > > # > > cron account required pam_unix_account.so.1 > > # > > # Default definition for Account management > > # Used when service name is not explicitly mentioned for account management > > # > > other account sufficient pam_ldap.so.1 > > other account requisite pam_roles.so.1 > > other account required pam_unix_account.so.1 > > # > > # Default definition for Session management > > # Used when service name is not explicitly mentioned for session management > > # > > other session sufficient pam_ldap.so.1 > > other session required pam_unix_session.so.1 > > # > > # Default definition for Password management > > # Used when service name is not explicitly mentioned for password management > > # > > other password required pam_dhkeys.so.1 > > other password requisite pam_authtok_get.so.1 > > other password requisite pam_authtok_check.so.1 > > other password required pam_authtok_store.so.1 > > > > > > > > -- > Fedora-directory-users mailing list > Fedora-directory-users@xxxxxxxxxx > https://www.redhat.com/mailman/listinfo/fedora-directory-users -- Jeremiah Coleman Systems Administrator C & C Technologies 337-261-0660 x3421 jay.coleman@xxxxxxxxxxxxx -- Fedora-directory-users mailing list Fedora-directory-users@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-directory-users
