Bug#1041613: LDAP user authentication of students/teachers does not work

[Guido Berhoerster]

Package: debian-edu-config
Version: 2.12.32


Currently authentication of student/teacher users on a workstation does
not work.

Steps to reproduce:

- currently it is not possible to create a student/teacher via gosa due to bugs
  #1039698 and #1039699, thus the following example student needs to be
  imported into LDAP:

    dn: uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no
    sn: Mustermann
    givenName: Max
    uid: mamus
    cn: Max Mustermann
    homeDirectory: /skole/tjener/home0/mamus
    loginShell: /bin/bash
    uidNumber: 1003
    gidNumber: 1003
    gecos: Max Mustermann
    krbPwdPolicyReference: 
cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,dc=no
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: gosaAccount
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: krbPrincipalAux
    objectClass: krbTicketPolicyAux
    krbLoginFailedCount: 0
    krbTicketFlags: 128
    krbPasswordExpiration: 19700101000000Z
    
    dn: cn=mamus,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no
    cn: mamus
    description: Gruppe des Benutzers Max Mustermann
    gidNumber: 1003
    objectClass: top
    objectClass: posixGroup
- then the gosa postcreate hook needs to be invoked manually:

    sudo /usr/share/debian-edu-config/tools/gosa-create mamus

- afterwards the password needs to be set inside gosa
- finally try to log in as user "mamus" from a workstation

The following is logged on tjener:

2023-07-21T13:27:34.471977+02:00 tjener sshd[39837]: Connection closed by 
127.0.0.1 port 34704 [preauth]
2023-07-21T13:27:46.857328+02:00 tjener krb5kdc[1457]: AS_REQ (8 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.16.22: 
CLIENT_NOT_FOUND: mamus@INTERN für krbtgt/INTERN@INTERN, Client nicht in der 
Kerberos-Datenbank gefunden
2023-07-21T13:27:46.861321+02:00 tjener krb5kdc[1457]: AS_REQ (8 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.16.22: 
CLIENT_NOT_FOUND: mamus@INTERN für krbtgt/INTERN@INTERN, Client nicht in der 
Kerberos-Datenbank gefunden
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_krb5(lightdm:auth): 
authentication failure; logname=mamus uid=0 euid=0 tty=:0 ruser= rhost=
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_unix(lightdm:auth): 
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mamus
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_ldap(lightdm:auth): 
Authentication failure; user=mamus


The following is logged on the workstation:

Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_krb5(lightdm:auth): 
authentication failure; logname=mamus uid=0 euid=0 tty=:0 ruser= rhost=
Jul 21 13:27:46 am-00163e227b5e.intern nslcd[1007]: [b141f2] 
<passwd="pam_unix_non_existent:"> request denied by validnames option
Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_unix(lightdm:auth): 
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mamus
Jul 21 13:27:46 am-00163e227b5e.intern nslcd[1007]: [e2a9e3] <authc="mamus"> 
uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no: Invalid 
credentials
Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_ldap(lightdm:auth): 
Authentication failure; user=mamus

-- 
Guido Berhoerster