Re: FDS and Solaris Client Question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Jeremiah Coleman wrote:

On Tue, 2007-09-18 at 13:53 -0700, Marc Sauton wrote:

Jeremiah Coleman wrote:

I'm trying to set up a Solaris 10 client with FDS (all my linux clients
are working beautifully), but authentication is acting very strange.
Monitoring the net traffic, I can see the Solaris system bind, search
for info about the username, get a normal response, but then it just

Not sure for the "normal" reponse.


The client asks for the posixAccount info, and gets all that is
available, then asks for the shadowAccount info, and gets the uid (same
as the linux clients).  Repeats this a couple of times, then stops.
If the rootbinddn in /etc/ldap.conf and associated pw or file permissions are correct, what about a "getent passwd" and logs or trace ? 
unbinds.  It never asks to authenticate a password.  My configuration is
below.


I'm using Solaris 10 native, not OpenLDAP.  No /etc/ldap.conf.  Would I
be better off switching to OpenLDAP?  getent passwd gives me a passwd
file list from the ldap server, with x instead of actual passwords.
If getent shows the non local uid's, the failed ssh login could be related to your pam client configuration or to a service not running on the client ? (client system logs should provide you some hints) 
M.

As for logs, I've been unable to find a way to get the authentication
stuff to log effectively.

Thanks,
Jay


May want to restart / sighup your sshd to get the last configurations.
System logs and getent could confirm the uid is found, to eliminate the nss_ldap part. 
Any help would be much appreciated.

ldap_client_file:
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= fds1.wherever.com
NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com
NS_LDAP_AUTH= simple
NS_LDAP_SEARCH_REF= TRUE
NS_LDAP_SEARCH_SCOPE= one
NS_LDAP_SEARCH_TIME= 30
NS_LDAP_CACHETTL= 43200
NS_LDAP_PROFILE= default
NS_LDAP_CREDENTIAL_LEVEL= proxy
NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one
NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one
NS_LDAP_BIND_TIME= 2

/etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not
all of that is configured on ldap as yet):
# the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
passwd:     files ldap
group:      files ldap
shadow:     files ldap

# consult /etc "files" only if ldap is down.
hosts:      dns files ldap

# Note that IPv4 addresses are searched for in all of the ipnodes databases
# before searching the hosts databases.
ipnodes:    files

networks:   files
protocols:  files
rpc:        files
ethers:     files
netmasks:   files
bootparams: files
publickey:  files

netgroup:   ldap

automount:  files ldap
aliases:    files ldap

# for efficient getservbyname() avoid ldap
services:   files ldap

printers:   user files ldap

auth_attr:  files ldap
prof_attr:  files ldap

project:    files ldap

tnrhtp:     files ldap
tnrhdb:     files ldap
Is it possible you are missing some entries in your /etc/pam.d/ for ssh on Solaris 10 ? 
/etc/pam.conf:
# login service (explicit because of pam_dial_auth)
#
login   auth required           pam_ldap.so.1
login   auth requisite          pam_authtok_get.so.1
login   auth required           pam_dhkeys.so.1
login   auth required           pam_unix_cred.so.1
login   auth required           pam_unix_auth.so.1
login   auth required           pam_dial_auth.so.1
#
# rlogin service (explicit because of pam_rhost_auth)
#
rlogin  auth sufficient         pam_ldap.so.1
rlogin  auth sufficient         pam_rhosts_auth.so.1
rlogin  auth requisite          pam_authtok_get.so.1
rlogin  auth required           pam_dhkeys.so.1
rlogin  auth required           pam_unix_cred.so.1
rlogin  auth required           pam_unix_auth.so.1
# Default definitions for Authentication management
# Used when service name is not explicitly mentioned for authentication
#
other   auth sufficient         pam_ldap.so.1
other   auth requisite          pam_authtok_get.so.1
other   auth required           pam_dhkeys.so.1
other   auth required           pam_unix_cred.so.1
other   auth required           pam_unix_auth.so.1
#
# passwd command (explicit because of a different authentication module)
#
passwd  auth sufficient         pam_ldap.so.1
passwd  auth required           pam_passwd_auth.so.1
#
# cron service (explicit because of non-usage of pam_roles.so.1)
#
cron    account required        pam_unix_account.so.1
#
# Default definition for Account management
# Used when service name is not explicitly mentioned for account management
#
other   account sufficient      pam_ldap.so.1
other   account requisite       pam_roles.so.1
other   account required        pam_unix_account.so.1
#
# Default definition for Session management
# Used when service name is not explicitly mentioned for session management
#
other   session sufficient      pam_ldap.so.1
other   session required        pam_unix_session.so.1
#
# Default definition for  Password management
# Used when service name is not explicitly mentioned for password management
#
other   password required       pam_dhkeys.so.1
other   password requisite      pam_authtok_get.so.1
other   password requisite      pam_authtok_check.so.1
other   password required       pam_authtok_store.so.1



--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users


--
Fedora-directory-users mailing list
Fedora-directory-users@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-users
[Index of Archives]     [Fedora Directory Users]     [Fedora Directory Devel]     [Fedora Announce]     [Fedora Legacy Announce]     [Kernel]     [Fedora Legacy]     [Share Photos]     [Fedora Desktop]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Big List of Linux Books]     [Gimp]     [Yosemite News]

  Powered by Linux