-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
we use a large number of servers with centralized user-accounts in LDAP for ease of administration. The machines bind to LDAPv3 with TLS, and PAM accepts logins for ssh checking groupdn. This has been working great in FreeBSD 4.x, 5.x and 6.x, but while setting this up in FreeBSD 7.0-RELEASE (amd64) I ran into a few problems (tested on two machines). I've only used portsnap and portinstall to install packages (no pkg_add etc). I've also tried to recompile nss_ldap/pam_ldap/openldap-client and updating ldconfig. Brief description (config files etc further down): - ----- First I setup nss_ldap to list the users with "getent passwd", then I edited /etc/pam.d/sshd to allow logins. I *can login*, but in /var/log/auth.log I see one entry per login: Mar 17 16:36:05 webmail sshd[98863]: nss_ldap: could not get LDAP result - - Can't contact LDAP server Well, OK. I am logged in now. Time to break the setup (adding pam_mkhomedir): - ----- This is how my /etc/pam.d/sshd file looks like: # auth auth sufficient pam_opie.so no_warn no_fake_prompts auth requisite pam_opieaccess.so no_warn allow_local auth sufficient /usr/local/lib/pam_ldap.so no_warn debug auth required pam_unix.so no_warn try_first_pass account required pam_nologin.so #account required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail debug #usually enabled to enforce pam_groupdn in ldap.conf account required pam_login_access.so account required pam_unix.so # session session required pam_permit.so #session required /usr/local/lib/pam_mkhomedir.so skel=/etc/skel/sshd umask=0077 # password password required pam_unix.so no_warn try_first_pass Now, if I uncomment the line with pam_mkhomedir.so on it, logins stop to work. In /var/log/auth.log I now see two lines appearing: Mar 17 16:46:40 webmail sshd[98923]: nss_ldap: could not search LDAP server - Server is unavailable Mar 17 16:46:40 webmail sshd[98923]: error: PAM: pam_open_session(): error in service module I think this might be a problem in the PADL pam_ldap package, because I see some suspicious warnings while building it: cc -DHAVE_CONFIG_H -DLDAP_REFERRALS -DLDAP_DEPRECATED -DPIC - -D_REENTRANT -I/usr/local/include -O2 -fno-strict-aliasing -pipe - -Wall -fPIC -c pam_ldap.c pam_ldap.c: In function '_get_user_info': pam_ldap.c:2726: warning: passing argument 4 of '_get_long_integer_value' from incompatible pointer type pam_ldap.c: In function '_pam_ldap_get_session': pam_ldap.c:2741: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type pam_ldap.c: In function 'pam_sm_open_session': pam_ldap.c:3400: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type pam_ldap.c: In function 'pam_sm_chauthtok': pam_ldap.c:3466: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type pam_ldap.c:3477: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type pam_ldap.c:3619: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type pam_ldap.c: In function 'pam_sm_acct_mgmt': pam_ldap.c:3860: warning: passing argument 3 of 'pam_get_data' from incompatible pointer type If I add pam_mkhomedir.so to /etc/pam.d/su, I can su - <ldapuser> and it creates my homedir. ~From ktracing it dosn't seem like sshd/pam isn't finding anything (well, it's not finding nss_dns.so, but I'm guessing that's not important). Has the PAM interface changed any in 7.0? Can anyone point me in the right direction to where the problem is, and how I can fix it (I don't know PAM internals and I'm not a great C-coder, but I'll give it a shot) ? I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are anyway: /usr/local/etc/nss_ldap.conf -> openldap/ldap.conf /usr/local/etc/ldap.conf -> openldap/ldap.conf # # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. base dc=nsn, dc=no HOST 1.slave.1881.int.nsn.no master.1881.int.nsn.no port 389 ldap_version 3 bind_policy soft binddn cn=unix7813,ou=sysusers,dc=nsn,dc=no bindpw <secret> ssl start_tls pam_filter objectclass=posixAccount pam_groupdn cn=mx-servers,ou=ssh-access,ou=groups,dc=nsn,dc=no pam_member_attribute member pam_password exop nss_base_passwd ou=nsnasa,ou=people,dc=nsn,dc=no nss_base_shadow ou=nsnasa,ou=people,dc=nsn,dc=no nss_base_group ou=posixgroups,ou=groups,dc=nsn,dc=no tls_checkpeer no TLS_REQCERT allow /etc/nsswitch.conf: group: files ldap hosts: files dns networks: files passwd: files ldap group_compat: nis passwd_compat: nis shells: files services: files protocols: files rpc: files I've tried a lot of different setups in this file, reversing orders, using *_compat etc.. So, If anyone has any theories, or something that can point me in any direction, I will greatly appreciate it. If I posted it to wrong forum, please point me to the correct/optimal forum. Otherwize I'm pleased to see the impressive new performance in 7.0, and better support for IBM Bladeservers and Qlogic 4gig FC-controllers :-) Great release! Thanks in advance. Kind regards, Daniel Bond. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFH3pY3UR3pKhqN0EoRAiedAJ0UK99P265XutZKb5dY5TY4siwfMgCeNDJs 6buxnV3WFV/G2cs6reBg0c0= =kVlJ -----END PGP SIGNATURE----- _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"
