Bug#268036: kdm requires /etc/passwd entry when using pam_ldap

To: 268036@bugs.debian.org
Subject: Bug#268036: kdm requires /etc/passwd entry when using pam_ldap
From: mikew <mikew@tmbg.org>
Date: Thu, 7 Oct 2004 13:59:31 -0400
Message-id: <[🔎] 200410071359.31355.mikew@tmbg.org>
Reply-to: mikew@tmbg.org, 268036@bugs.debian.org

Package: kdm
Version: 3.2.2-1

My OpenLDAP server works fine with ssh etc. as well, but KDM seems to have 
problems.

When kdm is configured to use pam_ldap, it still requires the username to be 
in /etc/passwd.

Example:

Logging in through KDM with username mike

The logs show
Oct  7 12:34:38 server kdm: 10.10.10.102:1[32188]: getpwnam(mike) failed.

Nothing else in the logs indicate a problem.

And KDM says "Fatal error has occurred." and tells me to contact my system 
administrator.

simply adding mike:x:<uid>:<gid>:<homedir>:<shell>

to the /etc/passwd file (not to groups/shadow etc) will work fine. KDM 
authenticates the password against the LDAP server and lets me in.

/etc/pam.d/kdm

#
# /etc/pam.d/kdm - specify the PAM behaviour of kdm
#

# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-password
@include common-session

auth       required     pam_nologin.so
auth       required     pam_env.so
session    required     pam_limits.so


/etc/pam.d/common-auth
auth   sufficient      pam_ldap.so debug
auth   required        pam_unix.so use_first_pass
#auth    required        pam_unix.so nullok_secure

/etc/pam.d/common-account
account sufficient     pam_ldap.so debug
#account required        pam_unix.so

/etc/pam.d/common-session
session sufficient     pam_ldap.so debug
session required        pam_unix.so use_first_pass
#session required        pam_unix.so

/etc/pam.d/common-password
password   sufficient  pam_ldap.so debug
password   required   pam_unix.so try_first_pass nullok obscure min=8 md5

/etc/nssswitch.conf

passwd:         files ldap
group:          files ldap
shadow:         files ldap

hosts:          files dns
networks:       files

protocols:      db files
services:       db files
ethers:         db files
rpc:            db files

netgroup:       nis

Since files is first for passwd, i'm assuming kdm is calling getpwnam and 
returning failure before checking with the ldap server.

Again, all other ldap functionality works -- even with no username in 
the /etc/passwd file.

Thanks,

- Mike

Reply to:

Prev by Date: Bug#275332: kdvi: srcltx.sty and srctex.sty should be copied, symlinked or installed within tetex tree
Next by Date: Bug#274779: kdebindings / libqt-perl conflict
Previous by thread: Bug#275332: kdvi: srcltx.sty and srctex.sty should be copied, symlinked or installed within tetex tree
Next by thread: software
Index(es):
- Date
- Thread