Bug#1041613: LDAP user authentication of students/teachers does not work
Package: debian-edu-config
Version: 2.12.32
Currently authentication of student/teacher users on a workstation does
not work.
Steps to reproduce:
- currently it is not possible to create a student/teacher via gosa due to bugs
#1039698 and #1039699, thus the following example student needs to be
imported into LDAP:
dn: uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no
sn: Mustermann
givenName: Max
uid: mamus
cn: Max Mustermann
homeDirectory: /skole/tjener/home0/mamus
loginShell: /bin/bash
uidNumber: 1003
gidNumber: 1003
gecos: Max Mustermann
krbPwdPolicyReference: cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,dc=no
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: gosaAccount
objectClass: posixAccount
objectClass: shadowAccount
objectClass: krbPrincipalAux
objectClass: krbTicketPolicyAux
krbLoginFailedCount: 0
krbTicketFlags: 128
krbPasswordExpiration: 19700101000000Z
dn: cn=mamus,ou=group,ou=Students,dc=skole,dc=skolelinux,dc=no
cn: mamus
description: Gruppe des Benutzers Max Mustermann
gidNumber: 1003
objectClass: top
objectClass: posixGroup
- then the gosa postcreate hook needs to be invoked manually:
sudo /usr/share/debian-edu-config/tools/gosa-create mamus
- afterwards the password needs to be set inside gosa
- finally try to log in as user "mamus" from a workstation
The following is logged on tjener:
2023-07-21T13:27:34.471977+02:00 tjener sshd[39837]: Connection closed by 127.0.0.1 port 34704 [preauth]
2023-07-21T13:27:46.857328+02:00 tjener krb5kdc[1457]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.16.22: CLIENT_NOT_FOUND: mamus@INTERN für krbtgt/INTERN@INTERN, Client nicht in der Kerberos-Datenbank gefunden
2023-07-21T13:27:46.861321+02:00 tjener krb5kdc[1457]: AS_REQ (8 etypes {aes256-cts-hmac-sha1-96(18), aes128-cts-hmac-sha1-96(17), aes256-cts-hmac-sha384-192(20), aes128-cts-hmac-sha256-128(19), DEPRECATED:des3-cbc-sha1(16), DEPRECATED:arcfour-hmac(23), camellia128-cts-cmac(25), camellia256-cts-cmac(26)}) 10.0.16.22: CLIENT_NOT_FOUND: mamus@INTERN für krbtgt/INTERN@INTERN, Client nicht in der Kerberos-Datenbank gefunden
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_krb5(lightdm:auth): authentication failure; logname=mamus uid=0 euid=0 tty=:0 ruser= rhost=
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=mamus
2023-07-21T13:27:46+02:00 am-00163e227b5e lightdm: pam_ldap(lightdm:auth): Authentication failure; user=mamus
The following is logged on the workstation:
Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_krb5(lightdm:auth): authentication failure; logname=mamus uid=0 euid=0 tty=:0 ruser= rhost=
Jul 21 13:27:46 am-00163e227b5e.intern nslcd[1007]: [b141f2] <passwd="pam_unix_non_existent:"> request denied by validnames option
Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_unix(lightdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost= user=mamus
Jul 21 13:27:46 am-00163e227b5e.intern nslcd[1007]: [e2a9e3] <authc="mamus"> uid=mamus,ou=people,ou=Students,dc=skole,dc=skolelinux,dc=no: Invalid credentials
Jul 21 13:27:46 am-00163e227b5e.intern lightdm[1990]: pam_ldap(lightdm:auth): Authentication failure; user=mamus
--
Guido Berhoerster
Reply to: