Hello,
I do not know much about linux environments (but have had to learn a few things
quickly!) - I have inherited a series of opensolaris build systems from a
previous IT administrator who has left. All of the system have been running
smooth for months until 1of them had a hiccup about 2 weeks ago. I have gotten
it to limp along, but it seems there are more underlying issue's that I cannot
figure out.
The system I am having problems with was integrated with Win2k3 R2 AD with
openldap and PAM.
[b]First off[/b] - the system stopped responding to smb requests configured
with LDAP to windows 2003 R2 AD permissions to smb shares.
I noticed someone had changed the resolv.conf file - one of the AD controllers
was an incorrect IP address. So I changed it back and restarted the DNS
service as well as the network (just to be safe)
Did not fix the issue, so I rebooted the system. Upon startup - The SMB
sharing started working correctly. The system then failed to allow logins via
SSH and SCP of LDAP user accounts. The console was showing the following error:
[b]PAM_KRB5 (auth): krb5_verify_init_creds failed: key version number for
principal in key table is incorrect[/b]
I researched this error and ended up restarting the smb service, as well as
idmap + re-joining the system to the AD domain with smbadm join -u
administrator sample.com (filler for actual domain names)
[b][u]I have ran (from the problematic opensolaris system):[/u][/b]
[b]ldapsearch stings that return successful[/b]
[b]ldapclient list returns:[/b]
NS_LDAP_FILE_VERSION= 2.0
NS_LDAP_SERVERS= dc-01.sample.com, dc-03.sample.com
NS_LDAP_SEARCH_BASEDN= dc=sample,dc=com
NS_LDAP_AUTH= sasl/GSSAPI
NS_LDAP_SEARCH_SCOPE= sub
NS_LDAP_CACHETTL= 0
NS_LDAP_CREDENTIAL_LEVEL= self
NS_LDAP_SERVICE_SEARCH_DESC= passwd:ou=Company,dc=sample,dc=com?sub
NS_LDAP_SERVICE_SEARCH_DESC= group:ou=Company,dc=sample,dc=com?sub
NS_LDAP_ATTRIBUTEMAP= shadow:userpassword=userPassword
NS_LDAP_ATTRIBUTEMAP= shadow:shadowflag=shadowFlag
NS_LDAP_ATTRIBUTEMAP= passwd:loginshell=loginShell
NS_LDAP_ATTRIBUTEMAP= passwd:homedirectory=unixHomeDirectory
NS_LDAP_ATTRIBUTEMAP= passwd:uidnumber=uidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= passwd:gecos=cn
NS_LDAP_ATTRIBUTEMAP= group:gidnumber=gidNumber
NS_LDAP_ATTRIBUTEMAP= group:memberuid=memberUid
NS_LDAP_ATTRIBUTEMAP= group:userpassword=userPassword
NS_LDAP_OBJECTCLASSMAP= shadow:shadowAccount=user
NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=user
NS_LDAP_OBJECTCLASSMAP= group:posixGroup=group
[b]getent passwd username returns correct info:[/b]
username:x:15028:100:User Name:/home/username:/bin/bash
[b]ldaplist -l passwd username returns correct info:[/b]
dn: gecos=User Name,OU=Users,OU=Company,DC=sample,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: posixAccount
cn: User Name
sn: Name
givenName: User
distinguishedName: CN=User Name,OU=Users,OU=Company,DC=sample,DC=com
instanceType: *number* (removed)
whenCreated: *number* (removed)
whenChanged: *number* (removed)
displayName: User Name
uSNCreated: *number* (removed)
memberOf: CN=Domain Users,CN=Users,DC=sample,DC=com
uSNChanged: *number* (removed)
name: User Name
objectGUID: *String encryption* (removed)
userAccountControl: *number* (removed)
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: *number* (removed)
lastLogoff: 0
lastLogon: *number* (removed)
pwdLastSet: *number* (removed)
primaryGroupID: *number* (removed)
objectSid:
adminCount: *number* (removed)
accountExpires: *number* (removed)
logonCount: *number* (removed)
sAMAccountName: username
sAMAccountType: *number* (removed)
userPrincipalName: usern...@sample.net
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=sample,DC=com
dSCorePropagationData: *number* (removed)
dSCorePropagationData: *number* (removed)
dSCorePropagationData: *number* (removed)
dSCorePropagationData: *number* (removed)
dSCorePropagationData: *number* (removed)
lastLogonTimestamp: *number* (removed)
uid: username
mail: usern...@sample.com
msSFU30Name: username
msSFU30NisDomain: sample
uidnumber: 15028
gidnumber: 100
homedirectory: /home/username
loginshell: /bin/bash
gecos: User Name
Now at this point - authentication with SCP, SSH and SMB is working correctly.
---------------------------------------------------------------------
My now existing problem is NFS share copying is VERY slow for linux users and I
am constantly getting the following error to the console:
[b]nscd: GSSAPI Error: No Credentials were supplied, or the credentials were
unavailable or inacessible (no credentials cache file found)[/b]
I am also experiencing the nscd process eventually consuming 100% cpu, 100% of
the time (which will obviously slow down NFS copies - along with everything
else)
If I kill the process it runs for a while fine - smb and nfs speeds are
faster... I _beleive_ that the generation of failurs of GSSAPI is possibly
causing nscd to go haywire?
[b]nsswitch.conf shows:[/b]
passwd: files ldap
group: files ldap
ipnodes: files dns mdns
All others are set to files
[b]pam.conf shows modified:[/b]
login auth requisite pam_authtok_get.so.1
login auth required pam_dhkeys.so.1
login auth required pam_unix_cred.so.1
login auth optional pam_unix_auth.so.1 --> [b]should this be
"suffiecient" ?[/b]
login auth optional pam_krb5.so.1 --> [b]should this be
"suffiecient" ?[/b]
login auth required pam_dial_auth.so.1
other auth requisite pam_authtok_get.so.1
other auth required pam_dhkeys.so.1
other auth required pam_unix_cred.so.1
other auth sufficient pam_unix_auth.so.1
other auth sufficient pam_krb5.so.1
other account requisite pam_roles.so.1
other account sufficient pam_unix_account.so.1
other account sufficient pam_tsol_account.so.1
other account sufficient pam_ldap.so.1
[b]uname -srvmpi[/b] = SunOS 5.11 snv_114 i86pc i386 i86pc
Any help anyone could chime in on would be great, I'm pulling my hair out!
Any other info that will help, please let me know and I will do my best to
provide
--
This message posted from opensolaris.org
_______________________________________________
opensolaris-discuss mailing list
opensolaris-discuss@opensolaris.org
