Gentoo Archives: gentoo-user

From: Giampiero Gabbiani <Giampiero@××××××××.org>
To: gentoo-user@l.g.o
Subject: [gentoo-user] SOLVED: Re: nss_updatedb && pam_ccreds
Date: Sun, 22 Aug 2010 13:51:21
Message-Id: 201008221551.07339.Giampiero@gabbiani.org
In Reply to: [gentoo-user] nss_updatedb && pam_ccreds by Giampiero Gabbiani
1 In data giovedì 29 luglio 2010 18:50:13, Giampiero Gabbiani ha scritto:
2 : > Hi all,
3 > I configured nss & pam in order to make LDAP authentication. In order to
4 > have a proper authentication and attributes retrieving I added also ccreds
5 > and nss_updatedb modifying /etc/pam.d/system-auth for the first and
6 > /etc/nsswithch for both:
7 >
8 > /etc/pam.d/system-auth:
9 >
10 > auth [success=done default=ignore] pam_unix.so
11 > nullok_secure try_first_pass debug
12 > auth [authinfo_unavail=ignore success=1 default=2] pam_ldap.so
13 > use_first_pass
14 > auth [default=done]
15 > pam_ccreds.so action=validate use_first_pass
16 > auth [default=done]
17 > pam_ccreds.so action=store
18 > auth [default=bad]
19 > pam_ccreds.so action=update
20 >
21 > account [user_unknown=ignore authinfo_unavail=ignore default=done]
22 > pam_unix.so debug
23 > account [user_unknown=ignore authinfo_unavail=ignore default=done]
24 > pam_ldap.so debug
25 > account required
26 > pam_permit.so
27 >
28 > password required pam_cracklib.so difok=2 minlen=8 dcredit=2
29 > ocredit=2 try_first_pass retry=3
30 > password sufficient pam_unix.so try_first_pass use_authtok
31 > nullok md5 shadow
32 > password sufficient pam_ldap.so use_authtok use_first_pass
33 > password required pam_deny.so
34 >
35 > session optional pam_mkhomedir.so skel=/etc/skel/ umask=0022
36 > session required pam_limits.so
37 > session required pam_env.so
38 > session required pam_unix.so
39 > session optional pam_permit.so
40 > session optional pam_ldap.so
41 >
42 > # /etc/nsswitch.conf:
43 > # $Header:
44 > /var/cvsroot/gentoo/src/patchsets/glibc/extra/etc/nsswitch.conf,v 1.1
45 > 2006/09/29 23:52:23 vapier Exp $
46 >
47 > passwd: files ldap [NOTFOUND=return] db
48 > shadow: files ldap
49 > group: files ldap [NOTFOUND=return] db
50 >
51 > #passwd: files ldap
52 > #shadow: files ldap
53 > #group: files ldap
54 >
55 > # passwd: db files nis
56 > # shadow: db files nis
57 > # group: db files nis
58 >
59 > hosts: files dns
60 > networks: files dns
61 >
62 > services: db files
63 > protocols: db files
64 > rpc: db files
65 > ethers: db files
66 > netmasks: files
67 > netgroup: files ldap
68 > bootparams: files
69 >
70 > automount: files ldap
71 > aliases: files
72 >
73 > sudoers: ldap files
74 >
75 > the problem is that, when the connection to the ldap server is down, I
76 > can't login:
77 >
78 > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): check pass; user
79 > unknown
80 > Jul 18 19:22:59 athena login[10600]: pam_unix(login:auth): authentication
81 > failure; logname=LOGIN uid=0 euid=0 tty=tty2 ruser= rhost=
82 > Jul 18 19:22:59 athena login[10600]: pam_ldap: ldap_simple_bind Can't
83 > contact LDAP server
84 > Jul 18 19:23:02 athena login[10600]: nss_ldap: failed to bind to LDAP
85 > server ldap://vesta.homenet.telecomitalia.it: Can't contact LDAP server
86 > Jul 18 19:23:02 athena login[10600]: nss_ldap: could not search LDAP server
87 > - Server is unavailable
88 > Jul 18 19:23:02 athena login[10600]: FAILED LOGIN (1) on 'tty2' FOR
89 > `UNKNOWN', User not known to the underlying authentication module
90 >
91 > from the last line above it seems like the credentials were not cached or
92 > the nss switch doesn't use the db service for the passwd and shadow
93 > database.
94 >
95 > Is there someone that has a working configuration in order to have the
96 > cached credentials systems working properly ?
97 >
98 > Regards
99 > Giampiero
100 The problem was due to a missing sys-libs/nss-db ebuild.
101 This one provide the needed NSS module for using Berkeley Databases as a
102 naming service by glibc (actually the same used by nss-updatedb).
103
104 Now everything works well.
105
106 Bye all
107 Giampiero
108
109 P.S. - IMHO, this should be set as a dependecy in ebuild the for the nss-
110 updatedb ebuild...