Hi Roman, On Sa 06 Jan 2024 12:16:31 CET, roman.meier wrote:
I can create a new user but the behavior is the same: I cannot login on the server. Login into GOsa2 works fine.
This very likely means that your Kerberos layer / service stack is broken. Do you have libpam-krb5 installed on TJENER? (That would be an easy solution). Does the new user object in LDAP have krb* LDAP attributes?If you launch kadmin.local and then enter "list_principals": do any Kerberos principals (users and/or hosts and/or services) get shown? Do the user accounts that fail login get listed by this?
If the new LDAP users don't get listed, try "add_princ -policy users <uid>" and try login from another tty.
If the new LDAP users get listed, try to set their password using "cpw <uid>".Please also let me/us know what versions of Debian Edu you have installed (11 or 12)? If 12, have you upgraded to latest package versions? There was a bug in Debian Edu 12's debian-edu-config that only got resolved recently:
``` debian-edu-config (2.12.41~deb12u1) bookworm; urgency=medium * Upload to bookworm. -- Mike Gabriel <sunweaver@debian.org> Sun, 03 Dec 2023 08:45:42 +0100 debian-edu-config (2.12.41) unstable; urgency=medium [ Guido Berhoerster ] * gosa-sync: Decode the user password which GOsa substitutes base64 encoded. This fixes a bug where the user password could not be set or changed. (related to #1052159). -- Mike Gabriel <sunweaver@debian.org> Fri, 01 Dec 2023 21:44:38 +0100 ``` This fix in d-e-c goes together with a fix in gosa: ``` gosa (2.8~git20230203.10abe45+dfsg-1+deb12u2) bookworm; urgency=medium [ Daniel Teichmann ] * debian/patches: [...] + Add 1044_fix-class-ldap-serialization.patch which fixes a few bugs regarding serialization. This especially fixes setting LDAP userPassword attribute types via GOsa². (Closes: #1052159). + Add 1045_fix-posixaccount-shadowExpire.patch which fixes shadowExpire always being set to 0. (User can't login then). (Closes: #1053806). [ Guido Berhoerster ] * debian/patches: [...] [ Mike Gabriel ] * debian/patches: [...] -- Mike Gabriel <sunweaver@debian.org> Sun, 03 Dec 2023 08:16:31 +0100If you Debian Edu 12, simply upgrading d-e-c and gosa to the referenced versions should help.
Mike ``` -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.de
Attachment:
pgpwSCMW6Etnx.pgp
Description: Digitale PGP-Signatur