[Fedora-directory-users] FDS and Solaris Client Question
Marc Sauton
msauton at redhat.com
Tue Sep 18 20:53:13 UTC 2007
Jeremiah Coleman wrote:
> I'm trying to set up a Solaris 10 client with FDS (all my linux clients
> are working beautifully), but authentication is acting very strange.
> Monitoring the net traffic, I can see the Solaris system bind, search
> for info about the username, get a normal response, but then it just
>
Not sure for the "normal" reponse.
If the rootbinddn in /etc/ldap.conf and associated pw or file
permissions are correct, what about a "getent passwd" and logs or trace ?
> unbinds. It never asks to authenticate a password. My configuration is
> below.
>
>
May want to restart / sighup your sshd to get the last configurations.
System logs and getent could confirm the uid is found, to eliminate the
nss_ldap part.
> Any help would be much appreciated.
>
> ldap_client_file:
> NS_LDAP_FILE_VERSION= 2.0
> NS_LDAP_SERVERS= fds1.wherever.com
> NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com
> NS_LDAP_AUTH= simple
> NS_LDAP_SEARCH_REF= TRUE
> NS_LDAP_SEARCH_SCOPE= one
> NS_LDAP_SEARCH_TIME= 30
> NS_LDAP_CACHETTL= 43200
> NS_LDAP_PROFILE= default
> NS_LDAP_CREDENTIAL_LEVEL= proxy
> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one
> NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one
> NS_LDAP_BIND_TIME= 2
>
> /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not
> all of that is configured on ldap as yet):
> # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
> passwd: files ldap
> group: files ldap
> shadow: files ldap
>
> # consult /etc "files" only if ldap is down.
> hosts: dns files ldap
>
> # Note that IPv4 addresses are searched for in all of the ipnodes databases
> # before searching the hosts databases.
> ipnodes: files
>
> networks: files
> protocols: files
> rpc: files
> ethers: files
> netmasks: files
> bootparams: files
> publickey: files
>
> netgroup: ldap
>
> automount: files ldap
> aliases: files ldap
>
> # for efficient getservbyname() avoid ldap
> services: files ldap
>
> printers: user files ldap
>
> auth_attr: files ldap
> prof_attr: files ldap
>
> project: files ldap
>
> tnrhtp: files ldap
> tnrhdb: files ldap
>
>
>
Is it possible you are missing some entries in your /etc/pam.d/ for ssh
on Solaris 10 ?
> /etc/pam.conf:
> # login service (explicit because of pam_dial_auth)
> #
> login auth required pam_ldap.so.1
> login auth requisite pam_authtok_get.so.1
> login auth required pam_dhkeys.so.1
> login auth required pam_unix_cred.so.1
> login auth required pam_unix_auth.so.1
> login auth required pam_dial_auth.so.1
> #
> # rlogin service (explicit because of pam_rhost_auth)
> #
> rlogin auth sufficient pam_ldap.so.1
> rlogin auth sufficient pam_rhosts_auth.so.1
> rlogin auth requisite pam_authtok_get.so.1
> rlogin auth required pam_dhkeys.so.1
> rlogin auth required pam_unix_cred.so.1
> rlogin auth required pam_unix_auth.so.1
> # Default definitions for Authentication management
> # Used when service name is not explicitly mentioned for authentication
> #
> other auth sufficient pam_ldap.so.1
> other auth requisite pam_authtok_get.so.1
> other auth required pam_dhkeys.so.1
> other auth required pam_unix_cred.so.1
> other auth required pam_unix_auth.so.1
> #
> # passwd command (explicit because of a different authentication module)
> #
> passwd auth sufficient pam_ldap.so.1
> passwd auth required pam_passwd_auth.so.1
> #
> # cron service (explicit because of non-usage of pam_roles.so.1)
> #
> cron account required pam_unix_account.so.1
> #
> # Default definition for Account management
> # Used when service name is not explicitly mentioned for account management
> #
> other account sufficient pam_ldap.so.1
> other account requisite pam_roles.so.1
> other account required pam_unix_account.so.1
> #
> # Default definition for Session management
> # Used when service name is not explicitly mentioned for session management
> #
> other session sufficient pam_ldap.so.1
> other session required pam_unix_session.so.1
> #
> # Default definition for Password management
> # Used when service name is not explicitly mentioned for password management
> #
> other password required pam_dhkeys.so.1
> other password requisite pam_authtok_get.so.1
> other password requisite pam_authtok_check.so.1
> other password required pam_authtok_store.so.1
>
>
>
More information about the Fedora-directory-users
mailing list