Fedora directory users - Dec 2005 - need help with ldap and sshd

Things seem to be working well the directory server, however I''ve ran 
into 2 problems.
1. I can''t figure out how to configure sshd to authenticate to the ldap
server.
2. This may acutally not be a problem at all when I address number 1,
however ldap home directories are not being created despite having this
line in my /etc/pam.d/login file
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
I''ve only verified that number 2. is an issue over ssh, as such may not
be
an acutal issue at all.
Any thoughts?  thanks again.

Aaron Bliss wrote:
>
> Things seem to be working well the directory server, however I''ve
ran
> into 2 problems.
> 1. I can''t figure out how to configure sshd to authenticate to the
ldap
> server.
See below:
> 2. This may acutally not be a problem at all when I address number 1,
> however ldap home directories are not being created despite having this
> line in my /etc/pam.d/login file
> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
You need it in your /etc/pam.d/sshd file.  Which from 1), sounds like 
you don''t have one :)

-- 
Pete

Pete Rowley wrote:
> Aaron Bliss wrote:
>
>>
>> Things seem to be working well the directory server, however
I''ve ran
>> into 2 problems.
>> 1. I can''t figure out how to configure sshd to authenticate to
the ldap
>> server.
>
>
> See below:
>
>> 2. This may acutally not be a problem at all when I address number 1,
>> however ldap home directories are not being created despite having this
>> line in my /etc/pam.d/login file
>> session required pam_mkhomedir.so skel=/etc/skel/ umask=0077
>
>
> You need it in your /etc/pam.d/sshd file.  Which from 1), sounds like 
> you don''t have one :)
>
>------------------------------------------------------------------------
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>
Thanks for getting back to me; what should a properly formatted 
/etc/pam.d/sshd file for rhel4 or rhel3 look like?

Aaron

>
> Thanks for getting back to me; what should a properly formatted 
> /etc/pam.d/sshd file for rhel4 or rhel3 look like?
> 
> Aaron
You might try using authconfig to get a working set of pam files, and then tweak
from there. On my rhel4 machine, /etc/pam.d/sshd and many other services just
uses pam_stack to inherit the config from /etc/pam.d/system-auth.

/etc/pam.d/sshd:
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_loginuid.so

It sould like you have a working /etc/pam.d/login, so use that as a guide for
editing your system-auth. Also make sure you have "UsePAM yes" in your
sshd_config.

-- 
John Vestrum

>>
>> Thanks for getting back to me; what should a properly formatted
>> /etc/pam.d/sshd file for rhel4 or rhel3 look like?
>>
>> Aaron
>
> You might try using authconfig to get a working set of pam files, and then
> tweak from there. On my rhel4 machine, /etc/pam.d/sshd and many other
> services just uses pam_stack to inherit the config from
> /etc/pam.d/system-auth.
>
> /etc/pam.d/sshd:
> auth       required     pam_stack.so service=system-auth
> auth       required     pam_nologin.so
> account    required     pam_stack.so service=system-auth
> password   required     pam_stack.so service=system-auth
> session    required     pam_stack.so service=system-auth
> session    required     pam_loginuid.so
>
> It sould like you have a working /etc/pam.d/login, so use that as a guide
> for editing your system-auth. Also make sure you have "UsePAM
yes" in your
> sshd_config.
>
> --
> John Vestrum
>
> --
> Fedora-directory-users mailing list
> Fedora-directory-users@redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>
>
I was missing UsePAM yes; all is working now

So, what do we need to add to 
http://directory.fedora.redhat.com/wiki/Howto:PAM to incorporate this 
information?

Aaron Bliss wrote:
>>>Thanks for getting back to me; what should a properly formatted
>>>/etc/pam.d/sshd file for rhel4 or rhel3 look like?
>>>
>>>Aaron
>>>      
>>>
>>You might try using authconfig to get a working set of pam files, and
then
>>tweak from there. On my rhel4 machine, /etc/pam.d/sshd and many other
>>services just uses pam_stack to inherit the config from
>>/etc/pam.d/system-auth.
>>
>>/etc/pam.d/sshd:
>>auth       required     pam_stack.so service=system-auth
>>auth       required     pam_nologin.so
>>account    required     pam_stack.so service=system-auth
>>password   required     pam_stack.so service=system-auth
>>session    required     pam_stack.so service=system-auth
>>session    required     pam_loginuid.so
>>
>>It sould like you have a working /etc/pam.d/login, so use that as a
guide
>>for editing your system-auth. Also make sure you have "UsePAM
yes" in your
>>sshd_config.
>>
>>--
>>John Vestrum
>>
>>--
>>Fedora-directory-users mailing list
>>Fedora-directory-users@redhat.com
>>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>>
>>    
>>
>I was missing UsePAM yes; all is working now
>
>--
>Fedora-directory-users mailing list
>Fedora-directory-users@redhat.com
>https://www.redhat.com/mailman/listinfo/fedora-directory-users
>  
>

Others may find this useful; in getting prepared to migrate to fds, I had
to first address the issue that the same users have different uid''s and
gid''s on our servers (for example, Johnny may be uid 500 on server A,
but
may have uid of 501 on server b); as such, I put togeather this script
that will change a user''s uid, gid, as well as change ownership of
files
and folders to their new uid and gid;

#!/bin/bash
#this script expects user to pass an argument for user to process

pass1=$1
new_uid=$2
new_gid=$3
#check to see if user entered anything
if [ ! $# == 3 ] ; then
echo "Usage is pass me 3 parameters, user to change, new uid to use, and
new gid to use exiting"
exit
fi

#parse /etc/passwd and /etc/group for groups to change
myname=`cat /etc/passwd | grep -w $pass1 |awk -F: ''{ print $1
}''`
myuid=`cat /etc/passwd | grep -w $pass1 |awk -F: ''{ print $3
}''`
mygid1=`cat /etc/passwd | grep -w $pass1 |awk -F: ''{ print $4
}''`
mygid=`cat /etc/group | grep -w $pass1 |awk -F: ''{ print $3
}''`

#check and make sure the user''s primary group is also their private
group
if [ ! $mygid1 == $mygid ] ; then
  echo "There is a mismatch between the user''s primary group and
their
private group"
  echo "I''m exiting as their primary group is likely a shared
group and
should be fixed"
  exit
fi

echo "User to change is $myname with uid of $myuid and gid of $mygid and
assign user new uid of $new_uid and new gid of $new_gid"
echo "Do you want me to continue? [y/n]"

read lastchance

case "$lastchance" in
   y)
     echo "I''m going to continue with user, group and file system
changes"
     #change private group id
     /usr/sbin/groupmod -g $new_gid $myname
     /usr/sbin/usermod $myname -g $myname
     #change uid
     /usr/sbin/usermod -u $new_uid $myname
     #find files they use to own and give them ownership again
     my_ufind=`find / -uid $myuid`
     my_gfind=`find / -gid $mygid`
     for i in $my_ufind
       do
       chown $myname $i
     done
     for m in $my_gfind
       do
       chgrp $myname $m
     done
     ;;
   n)
     echo "I''m aborting all changes"
     exit
     ;;
   *)
     echo "You entered something I don''t
understand...aborting"
     exit
     ;;
esac

Aaron Bliss wrote:
>Others may find this useful...
>
Thanks! I have added this to the wiki:

http://directory.fedora.redhat.com/wiki/UidFixup


-- 
Pete