[Fedora-directory-users] FDS and Solaris Client Question

Marc Sauton msauton at redhat.com
Tue Sep 18 20:53:13 UTC 2007 

Jeremiah Coleman wrote:
> I'm trying to set up a Solaris 10 client with FDS (all my linux clients
> are working beautifully), but authentication is acting very strange.
> Monitoring the net traffic, I can see the Solaris system bind, search
> for info about the username, get a normal response, but then it just
>   
Not sure for the "normal" reponse.
If the rootbinddn in /etc/ldap.conf and associated pw or file 
permissions are correct, what about a "getent passwd" and logs or trace ?
> unbinds.  It never asks to authenticate a password.  My configuration is
> below.
>
>   
May want to restart / sighup your sshd to get the last configurations.
System logs and getent  could confirm the uid is found, to eliminate the 
nss_ldap part.
> Any help would be much appreciated.
>
> ldap_client_file:
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= fds1.wherever.com
> NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com
> NS_LDAP_AUTH= simple
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SEARCH_SCOPE= one
> NS_LDAP_SEARCH_TIME= 30
> NS_LDAP_CACHETTL= 43200
> NS_LDAP_PROFILE= default
> NS_LDAP_CREDENTIAL_LEVEL= proxy
> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one
> NS_LDAP_BIND_TIME= 2
>
> /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not
> all of that is configured on ldap as yet):
> # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
> passwd:     files ldap
> group:      files ldap
> shadow:     files ldap
>
> # consult /etc "files" only if ldap is down.
> hosts:      dns files ldap
>
> # Note that IPv4 addresses are searched for in all of the ipnodes databases
> # before searching the hosts databases.
> ipnodes:    files
>
> networks:   files
> protocols:  files
> rpc:        files
> ethers:     files
> netmasks:   files
> bootparams: files
> publickey:  files
>
> netgroup:   ldap
>
> automount:  files ldap
> aliases:    files ldap
>
> # for efficient getservbyname() avoid ldap
> services:   files ldap
>
> printers:   user files ldap
>
> auth_attr:  files ldap
> prof_attr:  files ldap
>
> project:    files ldap
>
> tnrhtp:     files ldap
> tnrhdb:     files ldap
>
>
>   
Is it possible you are missing some entries in your /etc/pam.d/ for ssh 
on Solaris 10 ?
> /etc/pam.conf:
> # login service (explicit because of pam_dial_auth)
> #
> login   auth required           pam_ldap.so.1
> login   auth requisite          pam_authtok_get.so.1
> login   auth required           pam_dhkeys.so.1
> login   auth required           pam_unix_cred.so.1
> login   auth required           pam_unix_auth.so.1
> login   auth required           pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin  auth sufficient         pam_ldap.so.1
> rlogin  auth sufficient         pam_rhosts_auth.so.1
> rlogin  auth requisite          pam_authtok_get.so.1
> rlogin  auth required           pam_dhkeys.so.1
> rlogin  auth required           pam_unix_cred.so.1
> rlogin  auth required           pam_unix_auth.so.1
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other   auth sufficient         pam_ldap.so.1
> other   auth requisite          pam_authtok_get.so.1
> other   auth required           pam_dhkeys.so.1
> other   auth required           pam_unix_cred.so.1
> other   auth required           pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd  auth sufficient         pam_ldap.so.1
> passwd  auth required           pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron    account required        pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other   account sufficient      pam_ldap.so.1
> other   account requisite       pam_roles.so.1
> other   account required        pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other   session sufficient      pam_ldap.so.1
> other   session required        pam_unix_session.so.1
> #
> # Default definition for  Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other   password required       pam_dhkeys.so.1
> other   password requisite      pam_authtok_get.so.1
> other   password requisite      pam_authtok_check.so.1
> other   password required       pam_authtok_store.so.1
>
>
>

More information about the Fedora-directory-users mailing list