Re: User login issue
Hi Mike,
> This very likely means that your Kerberos layer / service stack is broken.
>
> Do you have libpam-krb5 installed on TJENER? (That would be an easy solution).
Nope, it was not installed. Maybe my legacy installation is not needing it? I installed it but things did not improve.
> Does the new user object in LDAP have krb* LDAP attributes?
Yep, I found 9 entires:
krbPrincipalName: mm@INTERN
krbPwdPolicyReference: cn=users,cn=INTERN,cn=kerberos,dc=skole,dc=skolelinux,dc=no
krbLoginFailedCount: 0
krbTicketFlags: 128
krbPrincipalKey:: AwIBAqMDAgEBpIICPjCCAjowVKAHMAWgAwIBAKFJMEeg[...]
krbPasswordExpiration: 19700101000000Z
krbLastPwdChange: 20240105153122Z
krbExtraData:: AALKIJhlcm9vdC9hZG1pbkBJTlRFUk4A
krbExtraData:: AAgBAA==
> If you launch kadmin.local and then enter "list_principals": do any
> Kerberos principals (users and/or hosts and/or services) get shown? Do
> the user accounts that fail login get listed by this?
Yep, they get all nicely listed.
> If the new LDAP users don't get listed, try "add_princ -policy users
> <uid>" and try login from another tty.
>
> If the new LDAP users get listed, try to set their password using "cpw <uid>".
I did this but the user still can't login.
> Please also let me/us know what versions of Debian Edu you have
> installed (11 or 12)?
This one is my personal debian edu workstation and testserver. It's rather legacy and still on 10 (buster) with GOsa 2.7.4.
> If 12, have you upgraded to latest package
> versions? There was a bug in Debian Edu 12's debian-edu-config that
> only got resolved recently:
>
> ```
> debian-edu-config (2.12.41~deb12u1) bookworm; urgency=medium
>
> * Upload to bookworm.
>
> -- Mike Gabriel <sunweaver@debian.org> Sun, 03 Dec 2023 08:45:42 +0100
>
> debian-edu-config (2.12.41) unstable; urgency=medium
>
> [ Guido Berhoerster ]
> * gosa-sync: Decode the user password which GOsa substitutes base64 encoded.
> This fixes a bug where the user password could not be set or changed.
> (related to #1052159).
>
> -- Mike Gabriel <sunweaver@debian.org> Fri, 01 Dec 2023 21:44:38 +0100
> ```
>
> This fix in d-e-c goes together with a fix in gosa:
d-e-c?
> ```
> gosa (2.8~git20230203.10abe45+dfsg-1+deb12u2) bookworm; urgency=medium
>
> [ Daniel Teichmann ]
> * debian/patches:
> [...]
> + Add 1044_fix-class-ldap-serialization.patch which fixes a few bugs
> regarding serialization. This especially fixes setting LDAP userPassword
> attribute types via GOsa². (Closes: #1052159).
> + Add 1045_fix-posixaccount-shadowExpire.patch which fixes shadowExpire
> always being set to 0. (User can't login then). (Closes: #1053806).
>
> [ Guido Berhoerster ]
> * debian/patches:
> [...]
>
> [ Mike Gabriel ]
> * debian/patches:
> [...]
>
> -- Mike Gabriel <sunweaver@debian.org> Sun, 03 Dec 2023 08:16:31 +0100
>
> If you Debian Edu 12, simply upgrading d-e-c and gosa to the
> referenced versions should help.
>
> Mike
Kind regards,
Roman
Reply to: