RE: id: cannot find name for user ID 500

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



1) Hv u checked dir perms for /etc and /etc/openldap?
ls -ld /etc; ls -ld /etc/openldap
 
2) I assume u hv run authconfig, if so, edit /etc/pam.d/system-auth
change this:

account     required      /lib/security/$ISA/pam_unix.so

to that:

account     sufficient      /lib/security/$ISA/pam_unix.so
 
3) if 1) and 2) do not help
 
Can u post these files on ldap client (full content pls) to us (or to just me as too much info):
/etc/ldap.conf,
/etc/openldap/ldap.conf
/etc/pam.d/system-auth
/etc/nsswitch.conf
/etc/resolv.conf
/etc/hosts
 
and these files on ldap server:
slapd.conf
 
output of:
partial ldapsearch output showing the testuser user details
rpm -qa | grep openldap
rpm -qa | grep nss_ldap
rpm -qa | grep pam
strace id testuser (u must hv strace rpm installed)
ldd `which id`
 
Rgds
Gary
 
-----Original Message----- 
From: pam-list-bounces@xxxxxxxxxx on behalf of Markus Nicolussi 
Sent: Thu 9/16/2004 11:31 PM 
To: pam-list@xxxxxxxxxx 
Cc: 
Subject: Re: id: cannot find name for user ID 500



	Hello!
	
	
	Thank u very much 4 all the response. I spent a whole day in testing all the
	stuff that came as help over the maillist and to my personal EMail Account.
	
	
	* The 2 cacerts on client and server are the same.
	
	
	*openssl s_client -connect ldaps.amazone.or.at:636 -showcerts
	
	gives me
	
	---------------------------------------------------------------------------
	CONNECTED(00000003)
	depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
	Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
	verify error:num=20:unable to get local issuer certificate
	verify return:1
	depth=0 /C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
	Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
	verify error:num=21:unable to verify the first certificate
	verify return:1
	---
	Certificate chain
	 0 s:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
	Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
	   i:/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
	Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
	-----BEGIN CERTIFICATE-----
	...
	-----END CERTIFICATE-----
	---
	Server certificate
	subject=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
	Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
	issuer=/C=AT/ST=Vorarlberg/L=Bregenz/O=Maedchenzentrum
	Amazone/OU=EDV/CN=ldaps.amazone.or.at/emailAddress=mcwimpy@xxxxxx
	---
	No client certificate CA names sent
	---
	SSL handshake has read 1167 bytes and written 340 bytes
	---
	New, TLSv1/SSLv3, Cipher is AES256-SHA
	Server public key is 1024 bit
	SSL-Session:
	    Protocol  : TLSv1
	    Cipher    : AES256-SHA
	    Session-ID:
	0F9232AC5D606B153E3E4A371B1AFDE8D466B2FE04A398CFBCC7F2DC6BD6228D
	    Session-ID-ctx:
	  
	Master-Key:
	5C6EB4AED5CBC153F715AD6417492C3C1373DB138ECCD470046D296721B1C9E6777BAA8F8CB0F65DC8A2CE58FEA9F746
	    Key-Arg   : None
	    Krb5 Principal: None
	    Start Time: 1095235867
	    Timeout   : 300 (sec)
	    Verify return code: 21 (unable to verify the first certificate)
	---
	
	************ now i have to press [Ctrl] + [D] **************
	
	DONE
	---------------------------------------------------------------------------
	
	
	* ldapsearch -x -LLL -ZZZ -h ldaps.amazone.or.at
	
	prints out all Information in my LDAP directory. also does
	
	# ldapsearch -v -Z -x -H ldaps://ldaps.amazone.or.at/
	
	
	
	* Doug Wilson wrote:
	> try a 'getent passwd' as root and then as testuser. You'll probably find
	> that root can see all of the UIDs, but the testuser can't.
	
	getent passwd as root and as testuser both display exactly the /etc/passwd
	file on the client machine
	
	* as root on the client i can see that /etc/openldap/cacert.pem is world
	readable
	---------------------------------------------------------------------------
	[root@acerAspire root]# ls -l /etc/openldap/
	total 16
	-rw-r--r--  1 root root 1359 Sep 10 10:56 cacert.pem
	-rw-r--r--  1 root root  488 Sep 15 11:28 ldap.conf
	---------------------------------------------------------------------------
	
	but logged in as a user...
	---------------------------------------------------------------------------
	[I have no name!@acerAspire testuser]$ ls -l /etc/openldap/
	insgesamt 0
	?---------  ? ? ? ?            ? cacert.pem
	?---------  ? ? ? ?            ? ldap.conf
	---------------------------------------------------------------------------
	
	and if i type
	#finger testuser
	with the debuging in /etc/ldap.conf switched on, i get
	---------------------------------------------------------------------------
	ldap_create
	ldap_simple_bind
	ldap_sasl_bind
	ldap_send_initial_request
	ldap_new_connection
	ldap_int_open_connection
	ldap_connect_to_host: TCP ldaps.amazone.or.at:636
	ldap_new_socket: 3
	ldap_prepare_socket: 3
	ldap_connect_to_host: Trying 192.168.0.1:636
	ldap_connect_timeout: fd: 3 tm: 30 async: 0
	ldap_ndelay_on: 3
	ldap_is_sock_ready: 3
	ldap_ndelay_off: 3
	ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
	TLS: could not load verify locations
	(file:`/etc/openldap/cacert.pem',dir:`').
	TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
	TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
	TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
	lib by_file.c:279
	ldap_unbind
	ldap_create
	ldap_simple_bind
	ldap_sasl_bind
	ldap_send_initial_request
	ldap_new_connection
	ldap_int_open_connection
	ldap_connect_to_host: TCP ldaps.amazone.or.at:636
	ldap_new_socket: 4
	ldap_prepare_socket: 4
	ldap_connect_to_host: Trying 192.168.0.1:636
	ldap_connect_timeout: fd: 4 tm: 30 async: 0
	ldap_ndelay_on: 4
	ldap_is_sock_ready: 4
	ldap_ndelay_off: 4
	ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
	TLS: could not load verify locations
	(file:`/etc/openldap/cacert.pem',dir:`').
	TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:104
	TLS: error:2006D002:BIO routines:BIO_new_file:system lib bss_file.c:109
	TLS: error:0B084002:x509 certificate routines:X509_load_cert_crl_file:system
	lib by_file.c:279
	ldap_unbind
	finger: testuser: no such user.
	---------------------------------------------------------------------------
	this looks as if i have a problem with the permission of
	/etc/openldap/cacert.pem, but what can i do?
	
	*Tommy Henriksen worte:
	> if possible, you can also enable some extra debug information on your
	> OpenLDAP server, - if you can restart the slapd try and play with -d
	> <level>, - you can see different debug levels in following link at
	> openldap.
	I did this with different levels from -1 to 2048 but could never see
	anything apropriate to the TLS connection... which level should i use and
	what exprssion sould i look 4.
	
	> To enable debug on your nss_ldap client you can recompile setting the
	> DEBUG option, either make a #define DEBUG in config.h or add a -DDEBUG as
	> compile option, - this should let you see if nss connect to your ldap
	> server.
	Compiling is at the moment to freaky for me. Everytime i compile a software
	and it doesn't run straight trough i can never solve the issue... So i use
	the binarys supported by Fedora Core 2. But i tried a hind form Vsevolod. Is
	this maybe what you mean? (see next point)
	
	* Vsevolod (Simon) Ilyushchenko wrote:
	> If you want to debug this, insert "debug 9" into /etc/ldap.conf, type
	> "id user" and watch what happens.
	
	doing this and then issuing
	# id testuser
	
	gives me
	
	---------------------------------------------------------------------------
	ldap_create
	ldap_extended_operation_s
	ldap_extended_operation
	ldap_send_initial_request
	ldap_new_connection
	ldap_int_open_connection
	ldap_connect_to_host: TCP ldaps.amazone.or.at:636
	ldap_new_socket: 3
	ldap_prepare_socket: 3
	ldap_connect_to_host: Trying 192.168.0.1:636
	ldap_connect_timeout: fd: 3 tm: 30 async: 0
	ldap_ndelay_on: 3
	ldap_is_sock_ready: 3
	ldap_ndelay_off: 3
	ldap_int_sasl_open: host=server.0.168.192.in-addr.arpa
	ldap_open_defconn: successful
	ldap_send_server_request
	ber_flush: 31 bytes to sd 3
	ldap_result msgid 1
	ldap_chkResponseList for msgid=1, all=1
	ldap_chkResponseList returns NULL
	wait4msg (infinite timeout), msgid 1
	wait4msg continue, msgid 1, all 1
	** Connections:
	* host: ldaps.amazone.or.at  port: 636  (default)
	  refcnt: 2  status: Connected
	  last used: Wed Sep 15 11:31:27 2004
	
	** Outstanding Requests:
	 * msgid 1,  origid 1, status InProgress
	   outstanding referrals 0, parent count 0
	** Response Queue:
	   Empty
	ldap_chkResponseList for msgid=1, all=1
	ldap_chkResponseList returns NULL
	ldap_int_select
	read1msg: msgid 1, all 1
	ber_get_next
	ber_get_next failed.
	ldap_unbind
	ldap_free_request (origid 1, msgid 1)
	ldap_free_connection
	ldap_send_unbind
	ber_flush: 7 bytes to sd 3
	ldap_free_connection: actually freed
	id: testuser: No such user
	---------------------------------------------------------------------------
	
	I can't read much out from this... Is there anyone who has a clou what this
	means?
	
	thank u all very much 4 the help so far. and for helping me further.
	
	ciao, nico.
	
	--
	NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
	+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
	
	--
	NEU: GMX ProMail mit bestem Virenschutz http://www.gmx.net/de/go/mail
	+++ Empfehlung der Redaktion +++ Internet Professionell 10/04 +++
	
	
	_______________________________________________
	
	Pam-list@xxxxxxxxxx
	https://www.redhat.com/mailman/listinfo/pam-list
	

<<winmail.dat>>

_______________________________________________

Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]

  Powered by Linux