samba - Nov 2005 - nsswitch not working for ldap

I am following the instruction in Samba by Example chapter 6 on a RHEL4
server.  Everything seems OK until I get to 6.3.5.7, which says to do the
following:-

root# getent passwd | grep Adminstrator

which returns nothing, indicating that the nsswitch (nss_ldap libary) is
not working.

I cannot find anything in any of the log files to give my a clue nor any
hints on how to debug this.

Any suggestions?

My configuration files are as follows:

***** /etc/openldap/slapd.conf

# $OpenLDAP: pkg/ldap/servers/slapd/slapd.conf,v 1.8.8.7 2001/09/27
20:00:31 kurt Exp $
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include         /etc/openldap/schema/core.schema
include         /etc/openldap/schema/cosine.schema
include         /etc/openldap/schema/inetorgperson.schema
include         /etc/openldap/schema/nis.schema
#include                /etc/openldap/schema/redhat/autofs.schema
#include                /etc/openldap/schema/redhat/kerberosobject.schema
include         /etc/openldap/schema/samba.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory #
service AND an understanding of referrals.
#referral       ldap://root.openldap.org

pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

access to dn.base=""
        by self write
        by * auth

access to attr=userPassword
                by self write
                by * auth

access to attr=shadowLastChange
                by self write
                by * read

access to *
                by * write
                by anonymous auth

loglevel        256


#schemacheck    off
#idletimeout    30
backend         ldbm
database        ldbm
pidfile         /var/run/slapd.pid
argsfile        /var/run/slapd.args

access to dn.base=""
        by self write
        by * auth

access to attr=userPassword
                by self write
                by * auth

access to attr=shadowLastChange
                by self write
                by * read

access to *
                by * write
                by anonymous auth

loglevel        256


#schemacheck    off
#idletimeout    30
backend         ldbm
database        ldbm
#checkpoint      1024 5
#cachesize       10000
suffix          "dc=phoenixinteriorsltd,dc=com"
rootdn          "cn=Manager,dc=phoenixinteriorsltd,dc=com"
rootpw          xxxxxxxx
directory       /var/lib/ldap

# Indices to maintain
#index objectClass           eq
#index cn                    pres,sub,eq
#index sn                    pres,sub,eq
#index uid                   pres,sub,eq
#index displayName           pres,sub,eq
#index uidNumber             eq
#index gidNumber             eq
#index memberUID             eq
#index sambaSID              eq
#index sambaPrimaryGroupSID  eq
#index sambaDomainName       eq
#index default               sub

***** /etc/ldap.conf

SIZELIMIT 12
TIMELIMIT 15
DEREF  never


host 127.0.0.1

base dc=phoenixinteriorsltd,dc=com
binddn cn=Manager,dc=phoenixinteriorsltd,dc=com
bindpw xxxxxxxx


timelimit 50
bind_timelimit 50
bind_policy hard

idle_timelimit 3600
pam_password exop

nss_base_passwd ou=People,dc=phoenixinteriorsltd,dc=com?one
nss_base_shadow ou=People,dc=phoenixinteriorsltd,dc=com?one
nss_base_group  ou=Groups,dc=phoenixinteriorsltd,dc=com?one

ssl off

***** /etc/nsswitch.conf

#
# /etc/nsswitch.conf
#
passwd:     files ldap
shadow:     files ldap
group:      files ldap
hosts:      files dns wins


bootparams: nisplus [NOTFOUND=return] files

ethers:     files
netmasks:   files
networks:   files
protocols:  files
rpc:        files
services:   files

netgroup:   files

publickey:  nisplus

automount:  files
aliases:    files nisplus

***** /etc/pam.d/login

#%PAM-1.0
auth       required     pam_securetty.so
auth       required     pam_nologin.so
auth       sufficient   pam_ldap.so
#auth       required    pam_stack.so service=system-auth
account    required     pam_stack.so service=system-auth
account    sufficient   pam_ldap.so
password   required     pam_stack.so service=system-auth
password   required     pam_ldap.so use_first_pass use_authtok
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so


***** /etc/pam.d/passwd

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       sufficient   pam_ldap.so
account    required     pam_stack.so service=system-auth
account    sufficient   pam_ldap.so
password   required     pam_stack.so service=system-auth
password   required     pam_ldap.so use_first_pass use_authtok


***** /etc/pam.d/samba

#%PAM-1.0
auth       required     pam_nologin.so
auth       required     pam_stack.so service=system-auth
auth       sufficient   pam_ldap.so
account    required     pam_stack.so service=system-auth
account    sufficient   pam_ldap.so
session    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
password   required     pam_ldap.so use_first_pass use_authtok


***** /etc/sshd

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    required     pam_limits.so
session    optional     pam_console.so


Tony

On Fri, 2005-11-18 at 13:32 +0000, Tony Austin wrote:
> I am following the instruction in Samba by Example chapter 6 on a RHEL4
> server.  Everything seems OK until I get to 6.3.5.7, which says to do the
> following:-
> 
> root# getent passwd | grep Adminstrator
> 
> which returns nothing, indicating that the nsswitch (nss_ldap libary) is
> not working.
> 
> I cannot find anything in any of the log files to give my a clue nor any
> hints on how to debug this.
> 
> Any suggestions?
> 
----
redhat? version?

does 'by Example' really suggest using ldbm?

can you perform base search from command line?

ldapsearch -x -h localhost \
-D 'cn=Manager,dc=phoenixinteriorsltd,dc=com' \
-W '(objectclass=*)'

and get results?

Craig


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

--------------------------------------------------------------------------
> On Fri, 2005-11-18 at 14:05 +0000, Tony Austin wrote:
>> > On Fri, 2005-11-18 at 13:32 +0000, Tony Austin wrote:
>> >> I am following the instruction in Samba by Example chapter 6
on a
>> RHEL4
>> >> server.  Everything seems OK until I get to 6.3.5.7, which
says to
do the
>> >> following:-
>> >>
>> >> root# getent passwd | grep Adminstrator
>> >>
>> >> which returns nothing, indicating that the nsswitch (nss_ldap
libary)
>> is
>> >> not working.
>> >>
>> >> I cannot find anything in any of the log files to give my a
clue nor
>> any
>> >> hints on how to debug this.
>> >>
>> >> Any suggestions?
>> >>
>> > ----
>> > redhat? version?
>> >
>>
>> Enterprise Linux El version 4 64-bit
> ----
> thanks - that helps
> ----
>>
>> > does 'by Example' really suggest using ldbm?
>> >
>>
>> No.  It's my first go with LDAP and I copied it from a working
RHEL3
config.
> ----
> ldbm will probably ultimately make you crazy. Continue playing with ldbm
if you wish but consider using bdb instead...
> the following changes would need to be made
>
I am leaving this as it is for the moment using ldbm, I can come back to
it later.
>
> to slapd.conf
> -------------
> # just below schema includes...
> allow           bind_v2 bind_anon_dn
>
> # at the bottom of the file
> # Set the entry cache size to 5000.
> #
> cachesize       5000
>
> # Set transactional checkpoint.
> #
> checkpoint      512     720
>
> create a file called DB_CONFIG and put it into your ldap-data directory
(/var/lib/ldap as defined in your supplied information)
>
> #
> # Set the database in memory cache size.
> #
> set_cachesize   0       52428800        0
>
> # Automatically remove log files that are no longer needed.
> set_flags DB_LOG_AUTOREMOVE
>
> #
> # Set database flags.
> # (for database loading/reindexing)
> #set_flags       DB_TXN_NOSYNC
> #set_flags DB_TXN_NOT_DURABLE
>
> # Set log values.
> #
> set_lg_regionmax        1048576
> set_lg_max              10485760
> set_lg_bsize            2097152
> -----
>
> and whether you use ldbm or bdb...make sure that /etc/openldap/ldap.conf
has at the very least...
>
> HOST 127.0.0.1
> BASE dc=phoenixinteriorsltd,dc=com
> -----
>
this was in place already
> you need to be able to at least perform the search as I showed you.
ldapsearch -x -h localhost \
> -D 'cn=Manager,dc=phoenixinteriorsltd,dc=com' \
> -W '(objectclass=*)'
>
> and get results?
>
having followed your next suggestion this now produces results!
>
> did you set rootdn password properly?
>
> from command line...
> # slappasswd -s my_password
> {SSHA}e+sgS1WyGdXLEd7K+rVK3H/swmsS81Sg
>
> and copy/paste that into slapd.conf
>
> rootpw {SSHA}e+sgS1WyGdXLEd7K+rVK3H/swmsS81Sg
>
I had not done this (can't see any mention of slappasswd in 'by
Example').

Having done this, your ldapsearch command now works but

root#getent passwd | grep Administrator

still does not.
> OK - either an authentication problem or a lack of data problem...let's
set up ldap logging.
>
> **** add these two lines to /etc/syslog.conf ****
>
> local4.*                                                /var/log/slapd.log
>
you say two lines here but I only see one, did it and logging occurs in
slapd.log
> # service syslog restart
>
> **** change loglevel in slapd.conf to 256 ****
> ( I see you've already set it to 256 )
>
> # service ldap restart
>
> Now ldap stuff logs to /var/log/slapd.log
>
> Now you can try to connect and review slapd logs to see what it's
doing.
>
root#ldapsearch -x -h localhost \
 -D 'cn=Manager,dc=phoenixinteriorsltd,dc=com' \
 -W '(objectclass=*)'

logs as:-

Nov 18 09:41:09 localhost slapd[12149]: conn=1 fd=8 ACCEPT from
IP=127.0.0.1:33899 (IP=0.0.0.0:389)
Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=0 BIND
dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" method=128
Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=0 BIND
dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" mech=SIMPLE ssf=0
Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=0 RESULT tag=97 err=0
text= Nov 18 09:41:09 localhost slapd[12149]: conn=1 op=1 SRCH
base="dc=phoenixinteriorsltd,dc=com" scope=2 deref=0
filter="(objectClass=*)" Nov 18 09:41:09 localhost slapd[12149]:
conn=1
op=1 SEARCH RESULT tag=101 err=4 nentries=12 textNov 18 09:41:09 localhost
slapd[12149]: conn=1 op=2 UNBIND Nov 18 09:41:09
localhost slapd[12149]: conn=1 fd=8 closed

root#getent passwd

logs as:-

Nov 18 09:41:52 localhost slapd[12149]: conn=2 fd=8 ACCEPT from
IP=127.0.0.1:33902 (IP=0.0.0.0:389)
Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=0 BIND
dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" method=128
Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=0 BIND
dn="cn=Manager,dc=phoenixinteriorsltd,dc=com" mech=SIMPLE ssf=0
Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=0 RESULT tag=97 err=0
text= Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=1 SRCH
base="ou=People,dc=phoenixinteriorsltd,dc=com" scope=1 deref=0
filter="(objectClass=posixAccount)"
Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=1 SRCH attr=uid
userPassword uidNumber gidNumber cn homeDirectory loginShell gecos
description objectClass
Nov 18 09:41:52 localhost slapd[12149]: conn=2 op=1 SEARCH RESULT tag=101
err=0 nentries=0 textNov 18 09:41:52 localhost slapd[12149]: conn=2 fd=8 closed

Tony