Bug#1041613: marked as done (LDAP user authentication of students/teachers does not work)

[Debian Bug Tracking System]

Your message dated Thu, 3 Aug 2023 07:52:11 +0200
with message-id <8dcca533-dbc4-577e-e89b-fe02e83a4...@berhoerster.name>
and subject line Re: LDAP user authentication of students/teachers does not work
has caused the Debian Bug report #1041613,
regarding LDAP user authentication of students/teachers does not work
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
1041613: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041613
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: debian-edu-config
Version: 2.12.32


Currently authentication of student/teacher users on a workstation does
not work.

Steps to reproduce:

- currently it is not possible to create a student/teacher via gosa due to bugs
  #1039698 and #1039699, thus the following example student needs to be
  imported into LDAP:

    dn: uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no
    sn: Mustermann
    givenName: Max
    uid: mamus
    cn: Max Mustermann
    homeDirectory: /skole/tjener/home0/mamus
    loginShell: /bin/bash
    uidNumber: 1003
    gidNumber: 1003
    gecos: Max Mustermann
    krbPwdPolicyReference: 
cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,dc=no
    objectClass: top
    objectClass: person
    objectClass: organizationalPerson
    objectClass: inetOrgPerson
    objectClass: gosaAccount
    objectClass: posixAccount
    objectClass: shadowAccount
    objectClass: krbPrincipalAux
    objectClass: krbTicketPolicyAux
    krbLoginFailedCount: 0
    krbTicketFlags: 128
    krbPasswordExpiration: 19700101000000Z
    
    dn: cn=mamus,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no
    cn: mamus
    description: Gruppe des Benutzers Max Mustermann
    gidNumber: 1003
    objectClass: top
    objectClass: posixGroup
- then the gosa postcreate hook needs to be invoked manually:

    sudo /usr/share/debian-edu-config/tools/gosa-create mamus

- afterwards the password needs to be set inside gosa
- finally try to log in as user "mamus" from a workstation

The following is logged on tjener:

2023-07-21T13:27:34.471977+02:00 tjener sshd[39837]: Connection closed by 
127.0.0.1 port 34704 [preauth]
2023-07-21T13:27:46.857328+02:00 tjener krb5kdc[1457]: AS_REQ (8 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.16.22: 
CLIENT_NOT_FOUND: mamus@INTERN für krbtgt/INTERN@INTERN, Client nicht in der 
Kerberos-Datenbank gefunden
2023-07-21T13:27:46.861321+02:00 tjener krb5kdc[1457]: AS_REQ (8 etypes 
{aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), 
aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), 
DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), 
camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.16.22: 
CLIENT_NOT_FOUND: mamus@INTERN für krbtgt/INTERN@INTERN, Client nicht in der 
Kerberos-Datenbank gefunden
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_krb5(lightdm:auth): 
authentication failure; logname=mamus uid=0 euid=0 tty=:0 ruser= rhost=
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_unix(lightdm:auth): 
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mamus
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_ldap(lightdm:auth): 
Authentication failure; user=mamus


The following is logged on the workstation:

Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_krb5(lightdm:auth): 
authentication failure; logname=mamus uid=0 euid=0 tty=:0 ruser= rhost=
Jul 21 13:27:46 am-00163e227b5e.intern nslcd[1007]: [b141f2] 
<passwd="pam_unix_non_existent:"> request denied by validnames option
Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_unix(lightdm:auth): 
authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=mamus
Jul 21 13:27:46 am-00163e227b5e.intern nslcd[1007]: [e2a9e3] <authc="mamus"> 
uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no: Invalid 
credentials
Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_ldap(lightdm:auth): 
Authentication failure; user=mamus

-- 
Guido Berhoerster

--- End Message ---

--- Begin Message ---

After discovering and fixing the ldap-createuser-krb5 script
(see bug #1042456) authentication of added students/teachers
does work, so this is not a bug but I was apparently missing
something when creating accounts in LDAP/Kerberos.

-- 
Guido Berhoerster

--- End Message ---