[Fedora-directory-users] FDS and Solaris Client Question

Jeremiah Coleman jay.coleman at cctechnol.com
Tue Sep 18 21:44:38 UTC 2007 

On Tue, 2007-09-18 at 13:53 -0700, Marc Sauton wrote:
> Jeremiah Coleman wrote:
> > I'm trying to set up a Solaris 10 client with FDS (all my linux clients
> > are working beautifully), but authentication is acting very strange.
> > Monitoring the net traffic, I can see the Solaris system bind, search
> > for info about the username, get a normal response, but then it just
> >   
> Not sure for the "normal" reponse.

The client asks for the posixAccount info, and gets all that is
available, then asks for the shadowAccount info, and gets the uid (same
as the linux clients).  Repeats this a couple of times, then stops.

> If the rootbinddn in /etc/ldap.conf and associated pw or file 
> permissions are correct, what about a "getent passwd" and logs or trace ?
> > unbinds.  It never asks to authenticate a password.  My configuration is
> > below.

I'm using Solaris 10 native, not OpenLDAP.  No /etc/ldap.conf.  Would I
be better off switching to OpenLDAP?  getent passwd gives me a passwd
file list from the ldap server, with x instead of actual passwords.  

As for logs, I've been unable to find a way to get the authentication
stuff to log effectively.

Thanks,
Jay

> >
> >   
> May want to restart / sighup your sshd to get the last configurations.
> System logs and getent  could confirm the uid is found, to eliminate the 
> nss_ldap part.
> > Any help would be much appreciated.
> >
> > ldap_client_file:
> > NS_LDAP_FILE_VERSION= 2.0
> > NS_LDAP_SERVERS= fds1.wherever.com
> > NS_LDAP_SEARCH_BASEDN= dc=wherever,dc=com
> > NS_LDAP_AUTH= simple
> > NS_LDAP_SEARCH_REF= TRUE
> > NS_LDAP_SEARCH_SCOPE= one
> > NS_LDAP_SEARCH_TIME= 30
> > NS_LDAP_CACHETTL= 43200
> > NS_LDAP_PROFILE= default
> > NS_LDAP_CREDENTIAL_LEVEL= proxy
> > NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=People,dc=wherever,dc=com?one
> > NS_LDAP_SERVICE_SEARCH_DESC= group: ou=group,dc=wherever,dc=com?one
> > NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=People,dc=wherever,dc=com?one
> > NS_LDAP_SERVICE_SEARCH_DESC= netgroup: ou=netgroup,dc=wherever,dc=com?one
> > NS_LDAP_BIND_TIME= 2
> >
> > /etc/nsswitch.conf (note, I pulled ldap from networks, etc, since not
> > all of that is configured on ldap as yet):
> > # the following two lines obviate the "+" entry in /etc/passwd and /etc/group.
> > passwd:     files ldap
> > group:      files ldap
> > shadow:     files ldap
> >
> > # consult /etc "files" only if ldap is down.
> > hosts:      dns files ldap
> >
> > # Note that IPv4 addresses are searched for in all of the ipnodes databases
> > # before searching the hosts databases.
> > ipnodes:    files
> >
> > networks:   files
> > protocols:  files
> > rpc:        files
> > ethers:     files
> > netmasks:   files
> > bootparams: files
> > publickey:  files
> >
> > netgroup:   ldap
> >
> > automount:  files ldap
> > aliases:    files ldap
> >
> > # for efficient getservbyname() avoid ldap
> > services:   files ldap
> >
> > printers:   user files ldap
> >
> > auth_attr:  files ldap
> > prof_attr:  files ldap
> >
> > project:    files ldap
> >
> > tnrhtp:     files ldap
> > tnrhdb:     files ldap
> >
> >
> >   
> Is it possible you are missing some entries in your /etc/pam.d/ for ssh 
> on Solaris 10 ?
> > /etc/pam.conf:
> > # login service (explicit because of pam_dial_auth)
> > #
> > login   auth required           pam_ldap.so.1
> > login   auth requisite          pam_authtok_get.so.1
> > login   auth required           pam_dhkeys.so.1
> > login   auth required           pam_unix_cred.so.1
> > login   auth required           pam_unix_auth.so.1
> > login   auth required           pam_dial_auth.so.1
> > #
> > # rlogin service (explicit because of pam_rhost_auth)
> > #
> > rlogin  auth sufficient         pam_ldap.so.1
> > rlogin  auth sufficient         pam_rhosts_auth.so.1
> > rlogin  auth requisite          pam_authtok_get.so.1
> > rlogin  auth required           pam_dhkeys.so.1
> > rlogin  auth required           pam_unix_cred.so.1
> > rlogin  auth required           pam_unix_auth.so.1
> > # Default definitions for Authentication management
> > # Used when service name is not explicitly mentioned for authentication
> > #
> > other   auth sufficient         pam_ldap.so.1
> > other   auth requisite          pam_authtok_get.so.1
> > other   auth required           pam_dhkeys.so.1
> > other   auth required           pam_unix_cred.so.1
> > other   auth required           pam_unix_auth.so.1
> > #
> > # passwd command (explicit because of a different authentication module)
> > #
> > passwd  auth sufficient         pam_ldap.so.1
> > passwd  auth required           pam_passwd_auth.so.1
> > #
> > # cron service (explicit because of non-usage of pam_roles.so.1)
> > #
> > cron    account required        pam_unix_account.so.1
> > #
> > # Default definition for Account management
> > # Used when service name is not explicitly mentioned for account management
> > #
> > other   account sufficient      pam_ldap.so.1
> > other   account requisite       pam_roles.so.1
> > other   account required        pam_unix_account.so.1
> > #
> > # Default definition for Session management
> > # Used when service name is not explicitly mentioned for session management
> > #
> > other   session sufficient      pam_ldap.so.1
> > other   session required        pam_unix_session.so.1
> > #
> > # Default definition for  Password management
> > # Used when service name is not explicitly mentioned for password management
> > #
> > other   password required       pam_dhkeys.so.1
> > other   password requisite      pam_authtok_get.so.1
> > other   password requisite      pam_authtok_check.so.1
> > other   password required       pam_authtok_store.so.1
> >
> >
> >   
> 
> --
> Fedora-directory-users mailing list
> Fedora-directory-users at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
-- 
Jeremiah Coleman
Systems Administrator
C & C Technologies
337-261-0660 x3421
jay.coleman at cctechnol.com

More information about the Fedora-directory-users mailing list