On Thu, 14 Sep 2023 10:57:32 +0200 Petter Reinholdtsen <p...@hungry.com> wrote: > [Guido Berhoerster] > >> error: ./ldap-client: Not only one PAM module of krb5, ldap and sss is > >> enabled > > > > /etc/pam.d/common-auth contains: > > > > … > > auth [success=3 default=ignore] pam_krb5.so minimum_uid=1000 > > auth [success=2 default=ignore] pam_unix.so nullok > > try_first_pass > > auth [success=1 default=ignore] pam_ldap.so minimum_uid=1000 > > use_first_pass > > … > > > > So PAM tries them in the given order until one succeeds, I'm not sure > > what is wrong with that. The git history of testsuite/ldap-client is > > not helpful either why this was added. > > The pam_ldap.so line should be removed. The LDAP authentication send > the password over to the LDAP server for verification, hopefully via an > TLS channel, allowing a rouge server to collect user passwords, while > Kerberos only send an encrypted timestamp to the server. Because of > this Debian Edu do not want LDAP authentication enabled, and uses > Kerberos exclusively over the network.
OK, digging into history shows that this has been a problem before (#591773) which had a workaround via cfengine. However, that was removed in https://salsa.debian.org/debian-edu/debian-edu-config/-/commit/3a2cb02332e0dea3bb1dae1847de1a7fe542b1c6 well before bullseye and in bullseye libpam-ldapd does not get pulled in on non-roaming installs. The dependency chain in bookworm is education-networked-common -> nslcd -> libpam-ldapd and nslcd still has "libpam-ldapd | libpam-ldap | libpam-krb5 | libpam-heimdal | libpam-sss" but education-networked-common also directly recommends libpam-ldapd which seems to be the culprit. The following commit introduced the dependency: https://salsa.debian.org/debian-edu/debian-edu/-/commit/16307694c2a24b13a5a910c7cbcacafc8bf6abec > >> error: ./rdp-server: xrdp service is not listening on 3389/tcp.' > > > > This can be probably be ignored as I have set up FAI on top of my LTSP > > setup. > > I do not understand what you mean here. How is this relevant? It's a quirk on my local system, I shouldn't have included it in the report. -- Guido Berhoerster
