LDAP, Kerberos trouble
Hello,
I'm setting up a central user directory with LDAP, password are in a
kerberos database. It looks like everything works. However, it just
doesn't work. If I remove LDAP and just get passwords from kerberos I
can login just fine. Things go weird (in my opinion, no doubt I'm doing
something wrong but useful error messages seem to be missing) as I blend
in LDAP. Here's my nsswitch.conf:
# /etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: ldap files
shadow: files
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
With this, getent passwd <username> and id <username> give me exactly
the information I'd expect and want. This tells me nss is setup ok
(right?).
Now to PAM (I expect the problem to be here), here are the contents of
my files:
--- common-auth
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
#
auth sufficient /lib/security/pam_krb5.so
auth sufficient /lib/security/pam_unix.so try_first_pass
#auth optional /lib/security/pam_ldap.so
--- common-password
#
# /etc/pam.d/common-password - password-related modules common to all
services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
#used to change user passwords. The default is pam_unix
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# (Add `md5' after the module name to enable MD5 passwords)
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs. Also the "min" and "max" options enforce the length of the
# new password.
password sufficient /lib/security/pam_krb5.so use_authtok
password sufficient /lib/security/pam_unix.so nullok obscure min=4
max=8 md5
--- common-account
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account required /lib/security/pam_access.so
account sufficient /lib/security/pam_ldap.so
account sufficient /lib/security/pam_unix.so
--- common-session
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session sufficient /lib/security/pam_krb5.so
session sufficient /lib/security/pam_ldap.so
session sufficient /lib/security/pam_unix.so
And to conclude, the problem:
(from an open root account):
LDAP has my shell set to tcsh
#ssh -l ron localhost
ron@localhost's password:
Broken pipe
myhost:~>
Changed my shell to sh
ssh -l ron localhost
ron@localhost's password:
-sh: [: : integer expression expected
ron@myhost:~$ ls
ron@myhost:~$ doanything
ron@myhost:~$
But if I try to execute a command:
# ssh -l ron localhost touch testfile
testfile is created!
Any help would be very much appreciated!
Thanks,
Ron
PS. Could you please CC any replies?
Reply to: