Bug#268036: kdm requires /etc/passwd entry when using pam_ldap
Package: kdm
Version: 3.2.2-1
My OpenLDAP server works fine with ssh etc. as well, but KDM seems to have
problems.
When kdm is configured to use pam_ldap, it still requires the username to be
in /etc/passwd.
Example:
Logging in through KDM with username mike
The logs show
Oct 7 12:34:38 server kdm: 10.10.10.102:1[32188]: getpwnam(mike) failed.
Nothing else in the logs indicate a problem.
And KDM says "Fatal error has occurred." and tells me to contact my system
administrator.
simply adding mike:x:<uid>:<gid>:<homedir>:<shell>
to the /etc/passwd file (not to groups/shadow etc) will work fine. KDM
authenticates the password against the LDAP server and lets me in.
/etc/pam.d/kdm
#
# /etc/pam.d/kdm - specify the PAM behaviour of kdm
#
# The standard Unix authentication modules, used with
# NIS (man nsswitch) as well as normal /etc/passwd and
# /etc/shadow entries.
@include common-auth
@include common-account
@include common-password
@include common-session
auth required pam_nologin.so
auth required pam_env.so
session required pam_limits.so
/etc/pam.d/common-auth
auth sufficient pam_ldap.so debug
auth required pam_unix.so use_first_pass
#auth required pam_unix.so nullok_secure
/etc/pam.d/common-account
account sufficient pam_ldap.so debug
#account required pam_unix.so
/etc/pam.d/common-session
session sufficient pam_ldap.so debug
session required pam_unix.so use_first_pass
#session required pam_unix.so
/etc/pam.d/common-password
password sufficient pam_ldap.so debug
password required pam_unix.so try_first_pass nullok obscure min=8 md5
/etc/nssswitch.conf
passwd: files ldap
group: files ldap
shadow: files ldap
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
Since files is first for passwd, i'm assuming kdm is calling getpwnam and
returning failure before checking with the ldap server.
Again, all other ldap functionality works -- even with no username in
the /etc/passwd file.
Thanks,
- Mike
Reply to: