samba - Jun 2006 - NSS/PAM LDAP Config

Ok, I've been literally throwing things in my effort to fix this.
Please help me from damaging something valueable! :)

I've installed Samba 3.0.22 and OpenLDAP etc.

I've used the IDEALX scripts to create the LDAP tree etc.
Everything goes swimmingly until I try to check and see if NSS/PAM is
working right.

I use the following command as shown in SBE to check NSS/PAM working.
getent passwd | grep root
getent group  | grep Domain

These aren't working as they should.

I'm using CentOS 4.3 and I've used authconfig as the IDEALX scripts
say, and thus I have the following system-auth config in /etc/pam.d/

---
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      /lib/security/$ISA/pam_env.so
auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
auth        required      /lib/security/$ISA/pam_deny.so

account     required      /lib/security/$ISA/pam_unix.so broken_shadow
account     sufficient    /lib/security/$ISA/pam_localuser.so
account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
quiet
account     [default=bad success=ok user_unknown=ignore]
/lib/security/$ISA/pam_ldap.so
account     required      /lib/security/$ISA/pam_permit.so

password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok md5
shadow
password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
password    required      /lib/security/$ISA/pam_deny.so

session     required      /lib/security/$ISA/pam_limits.so
session     required      /lib/security/$ISA/pam_unix.so
session     optional      /lib/security/$ISA/pam_ldap.so
---

But that doesn't seem to work.

PAM is a total mystery to me, and I have absolutely no idea how to
really configure it by hand, provided the above isn't correct.

Is there a good how-to on PAM somewhere I can read?
I've done a number of searches, and some of those, as well as the SBE
example show hand-editing the files in pam.d - like login, sshd,
samba, and passwd.

In desperation, I've done that too, and no joy.

Can some kind soul please give me a hand here?

TIA
-Greg

I used the Sernet.de RPM's - they're compiled for RHEL 4, and only
with minor errors they installed fine.

-Greg
> As a side note, I am running centos 4.3 on my boxes, and I think it comes
> with samba 3.0.10.  Where did you get your RPM for 3.0.22, or did you
> compile it from source?
> Sam Adams
> General Dynamics - Network Systems
> Phone: 210.536.5945
> -----Original Message-----
> From: samba-bounces+samuel.adams.ctr=brooks.af.mil@lists.samba.org
> [mailto:samba-bounces+samuel.adams.ctr=brooks.af.mil@lists.samba.org] On
> Behalf Of listserv.traffic@sloop.net
> Sent: Wednesday, June 07, 2006 4:48 PM
> To: samba
> Subject: [Samba] NSS/PAM LDAP Config
> Ok, I've been literally throwing things in my effort to fix this.
> Please help me from damaging something valueable! :)
> I've installed Samba 3.0.22 and OpenLDAP etc.
> I've used the IDEALX scripts to create the LDAP tree etc.
> Everything goes swimmingly until I try to check and see if NSS/PAM is
> working right.
> I use the following command as shown in SBE to check NSS/PAM working.
> getent passwd | grep root
> getent group  | grep Domain
> These aren't working as they should.
> I'm using CentOS 4.3 and I've used authconfig as the IDEALX scripts
> say, and thus I have the following system-auth config in /etc/pam.d/
> ---
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> auth        required      /lib/security/$ISA/pam_env.so
> auth        sufficient    /lib/security/$ISA/pam_unix.so likeauth nullok
> auth        sufficient    /lib/security/$ISA/pam_ldap.so use_first_pass
> auth        required      /lib/security/$ISA/pam_deny.so
> account     required      /lib/security/$ISA/pam_unix.so broken_shadow
> account     sufficient    /lib/security/$ISA/pam_localuser.so
> account     sufficient    /lib/security/$ISA/pam_succeed_if.so uid < 100
> quiet
> account     [default=bad success=ok user_unknown=ignore]
> /lib/security/$ISA/pam_ldap.so
> account     required      /lib/security/$ISA/pam_permit.so
> password    requisite     /lib/security/$ISA/pam_cracklib.so retry=3
> password    sufficient    /lib/security/$ISA/pam_unix.so nullok use_authtok
> md5 shadow
> password    sufficient    /lib/security/$ISA/pam_ldap.so use_authtok
> password    required      /lib/security/$ISA/pam_deny.so
> session     required      /lib/security/$ISA/pam_limits.so
> session     required      /lib/security/$ISA/pam_unix.so
> session     optional      /lib/security/$ISA/pam_ldap.so
> ---
> But that doesn't seem to work.
> PAM is a total mystery to me, and I have absolutely no idea how to
> really configure it by hand, provided the above isn't correct.
> Is there a good how-to on PAM somewhere I can read?
> I've done a number of searches, and some of those, as well as the SBE
> example show hand-editing the files in pam.d - like login, sshd,
> samba, and passwd.
> In desperation, I've done that too, and no joy.
> Can some kind soul please give me a hand here?
> TIA
> -Greg




-- 
Best regards,
 listserv                            mailto:listserv.traffic@sloop.net