I'm trying to trobuleshoot my previuos problem from the basics. I've a box setup with Ubuntu, samba and ldap. I have a lot of problems with user authentications. I'm checking if LDAP and PAM ar working together. I've added an user to ldap with smbldap-useradd command (as posix account) and I'm trying to use it to login via ssh. This user cannot authenticate. Here is the result from auth.log and some configurations files: Jun 3 11:02:37 localserver sshd[27372]: Invalid user testmio from 192.168.10.1 Jun 3 11:02:37 localserver sshd[27372]: Failed none for invalid user testmio from 192.168.10.1 port 44352 ssh2 Jun 3 11:02:39 localserver sshd[27372]: pam_unix(sshd:auth): check pass; user unknown Jun 3 11:02:39 localserver sshd[27372]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=remoteclient.domain.it Jun 3 11:02:39 localserver sshd[27372]: pam_ldap: error trying to bind as user "uid=testmio,ou=Users,dc=domain,dc=it" (Invalid credentials) Jun 3 11:02:41 localserver sshd[27372]: Failed password for invalid user testmio from 192.168.10.1 port 44352 ssh2 If I use the command "getent passwd" I obtain only the account present in /etc/passwd file and none of those included in ldap. /etc/pam.conf is empty # /etc/pam.d/samba @include common-auth @include common-account @include common-session # etc/pam.d/login auth requisite pam_securetty.so auth requisite pam_nologin.so session required pam_selinux.so close session required pam_env.so readenv=1 session required pam_env.so readenv=1 envfile=/etc/default/locale @include common-auth auth optional pam_group.so session required pam_limits.so session optional pam_lastlog.so session optional pam_motd.so session optional pam_mail.so standard @include common-account @include common-session @include common-password session required pam_selinux.so open # /etc/nsswitch.conf passwd: files ldap shadow: files ldap group: files ldap hosts: files mdns4_minimal [NOTFOUND=return] dns mdns4 networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis ldap.conf contains the following directives: nss_base_passwd ou=Users,dc=domain,dc=it?one nss_base_passwd ou=Computers,dc=domain,dc=it?one nss_base_shadow ou=Users,dc=domain,dc=it?one nss_base_group ou=Groups,dc=domain,dc=it?one
Hi,> I'm trying to use it to > login via ssh. This user cannot authenticate. > Here is the result from auth.log and some configurations filesThis is not a samba problem but a SSH/Ubuntu/Ldap problem :) You need both packages pam_ldap AND nss_ldap. You need to configure both (configuration is very similar, but there may be some differences). To give a brief explanation: pam_ldap is used by ssh (you need to configure /etc/pam.d/ssh !) to accept the username and password nss_ldap is used by thing slike getent, or to show your correct username and group when you do a "ls -l" Now it much depends how your LDAP tree is organized, so I cannot give much more advise; what is the objectClass you use for your users? I am surprised to see that user and password belongs to different place in the LDAP tree. I am also surprised that the /etc/pam.d example you give do not contain a single reference to ldap... There are good how-to floating on Google, that work you step by step. Best regards, Olivier
Thanks Oliver, I will check all the files in /etc/pam.d My problems are with samba, but after a little troubleshooting I think that some of them are originated at PAM/Ldap level, so I'm checking this first. I've followed the guide taken from Ubuntu site: https://help.ubuntu.com/8.10/serverguide/C/network-authentication.html I think that if I can succeed in authenticating via shell or ssh I can then rule-out pam issues and work on samba configuration. Thanks, Riccardo --------- Original Message -------- Da: Olivier Nicole <on@cs.ait.ac.th> To: Cc: samba@lists.samba.org Oggetto: Re: [Samba] Samba+Ldap problems Data: 03/06/09 12:42> > > Hi, > > > I'm trying to use it to > > login via ssh. This user cannot authenticate. > > Here is the result from auth.log and some configurations files > > This is not a samba problem but a SSH/Ubuntu/Ldap problem :) > > You need both packages pam_ldap AND nss_ldap. > > You need to configure both (configuration is very similar, but there > may be some differences). > > To give a brief explanation: > > pam_ldap is used by ssh (you need to configure /etc/pam.d/ssh !) to > accept the username and password > > nss_ldap is used by thing slike getent, or to show your correct > username and group when you do a "ls -l" > > Now it much depends how your LDAP tree is organized, so I cannot give > much more advise; what is the objectClass you use for your users? I am > surprised to see that user and password belongs to different place in > the LDAP tree. I am also surprised that the /etc/pam.d example you > give do not contain a single reference to ldap... > > There are good how-to floating on Google, that work you step by step. > > > Best regards, > > Olivier >
dogbert@infinito.it wrote:> Thanks Oliver, > I will check all the files in /etc/pam.d >Check /etc/nsswitch.conf first. I think it may be your first problem.> I think that if I can succeed in authenticating via shell or ssh I can then > rule-out pam issues and work on samba configuration.You need that working before you can start the Samba stages. Samba needs those accounts working before it can work properly. TB