[389-users] Help Needed -----Linux Ldap Client machine unable to login Fedors DS
Hakuna Matata
narender.hooda at gmail.com
Wed Jun 17 18:32:56 UTC 2009
just one more file contents ---authconfig ,
[root at client ~]# authconfig --test
caching is enabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://192.168.5.1"
LDAP base DN = "dc=vfds,dc=local"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "16777216-33554431"
SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
password hashing algorithm is md5
pam_krb5 is disabled
krb5 realm = "VFDS.VAD.COM"
krb5 realm via dns is enabled
krb5 kdc = "kerberos.vfds.vad.com:88"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.vfds.vad.com:749"
pam_ldap is enabled
LDAP+TLS is disabled
LDAP server = "ldap://192.168.5.1"
LDAP base DN = "dc=vfds,dc=local"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_smb_auth is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
pam_winbind is disabled
SMB workgroup = "MYGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled
------------------------------------
On Wed, Jun 17, 2009 at 11:55 PM, Hakuna Matata<narender.hooda at gmail.com> wrote:
> This is what it is returning....
>
> i guess i have to rebuild the client with CentOS 5.2 (though i have no
> reason but still).....
>
> and really want to give you big thank for helping me ...you are kind......
> will keep posted with the results....
>
> [root at client ~]# ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local"
> -D "cn=Directory Manager" -W
> Enter LDAP Password:
> # extended LDIF
> #
> # LDAPv3
> # base <dc=vfds,dc=local> with scope subtree
> # filter: (objectclass=*)
> # requesting: ALL
> #
>
> # search result
> search: 2
> result: 32 No such object
>
> # numResponses: 1
> [root at client ~]#
>
>
> On Wed, Jun 17, 2009 at 11:25 PM, Jean-Noel
> Chardron<Jean-Noel.Chardron at dr15.cnrs.fr> wrote:
>> Hakuna Matata a écrit :
>>>
>>> Still no luck....
>>> i have added the below entry in my ldap.conf file
>>> base dc=vfds,dc=local
>>>
>>>
>>
>> hum,
>> does your fds answers to a request of ldapsearch ?
>> you can try sommething like this from the server and from the client :
>> without credentials:
>> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" ''
>> with credentials :
>> ldapsearch -x -h 192.168.5.1 -b "dc=vfds,dc=local" -D "cn=Directory Manager
>> '' -W
>>>
>>> --H
>>>
>>> On Wed, Jun 17, 2009 at 9:44 PM, Hakuna Matata<narender.hooda at gmail.com>
>>> wrote:
>>>
>>>>>>>>
>>>>>>>> grep base /etc/ldap.conf
>>>>>>>>
>>>>
>>>> ----------------------------------
>>>> #scope base
>>>> # nss_base_XXX base?scope?filter
>>>> # where scope is {base,one,sub}
>>>> # nss_base_passwd ou=People,
>>>> # to append the default base DN but this
>>>> #nss_base_passwd ou=People,dc=example,dc=com?one
>>>> #nss_base_shadow ou=People,dc=example,dc=com?one
>>>> #nss_base_group ou=Group,dc=example,dc=com?one
>>>> #nss_base_hosts ou=Hosts,dc=example,dc=com?one
>>>> #nss_base_services ou=Services,dc=example,dc=com?one
>>>> #nss_base_networks ou=Networks,dc=example,dc=com?one
>>>> #nss_base_protocols ou=Protocols,dc=example,dc=com?one
>>>> #nss_base_rpc ou=Rpc,dc=example,dc=com?one
>>>> #nss_base_ethers ou=Ethers,dc=example,dc=com?one
>>>> #nss_base_netmasks ou=Networks,dc=example,dc=com?ne
>>>> #nss_base_bootparams ou=Ethers,dc=example,dc=com?one
>>>> #nss_base_aliases ou=Aliases,dc=example,dc=com?one
>>>> #nss_base_netgroup ou=Netgroup,dc=example,dc=com?one
>>>> #nss_base_passwd ou=aixaccount,?one
>>>> #nss_base_group ou=aixgroup,?one
>>>>
>>>> ---------------------------------------------------------------------------
>>>>
>>>> OK, so i was expecting some base which are binding it to FDS.....but did
>>>> not
>>>> find here any such thing...which gives an impression that
>>>> system-config-authentication is not working proberly in CentOS5.3. My
>>>> assumption may be wrong....
>>>>
>>>> so if i put some entry in this like (base dc=vfds,dc=local)...and then
>>>> boot
>>>> the client machine... can i expect it workin then.....
>>>>
>>>> waiting for the advise....in the mean time i am rebooting the machine....
>>>>
>>>> many thanks in advance...
>>>>
>>>>
>>>> --H
>>>>
>>>> On Wed, Jun 17, 2009 at 6:15 PM, jean-Noël Chardron
>>>> <Jean-Noel.Chardron at dr15.cnrs.fr> wrote:
>>>>
>>>>>
>>>>> Hakuna Matata a écrit :
>>>>>
>>>>>>
>>>>>> Jean
>>>>>> Thanks for a quick reply.
>>>>>>
>>>>>> Client IP address is 192.168.5.4
>>>>>> yes these files are from client only.
>>>>>>
>>>>>>
>>>>>
>>>>> all files seem correct , (in system-auth the interresting line are with
>>>>> pam_ldap.so)
>>>>> So may be, the base to search in the tree are misconfigured in the
>>>>> /etc/ldap.conf
>>>>>
>>>>> you previously show the /etc/ldap.conf :
>>>>> uri ldap://192.168.5.1 <http://192.168.5.1>
>>>>> ssl no
>>>>> tls_cacertdir /etc/openldap/cacerts
>>>>> pam_password md5
>>>>>
>>>>> can you show the ouptut of the command :
>>>>> grep base /etc/ldap.conf
>>>>> with only the line that are uncommented , normaly this will show the
>>>>> distinguished name of the search base.
>>>>> and this must correspond with the tree in your FDS
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>>
>>>>>> */etc/pam.d/system-auth *
>>>>>> ------------------------------------------------
>>>>>> This file is auto-generated.
>>>>>> # User changes will be destroyed the next time authconfig is run.
>>>>>> auth required pam_env.so
>>>>>> auth sufficient pam_unix.so nullok try_first_pass
>>>>>> auth requisite pam_succeed_if.so uid >= 500 quiet
>>>>>> auth sufficient pam_ldap.so use_first_pass
>>>>>> auth required pam_deny.so
>>>>>>
>>>>>> account required pam_unix.so broken_shadow
>>>>>> account sufficient pam_succeed_if.so uid < 500 quiet
>>>>>> account [default=bad success=ok user_unknown=ignore] pam_ldap.so
>>>>>> account required pam_permit.so
>>>>>>
>>>>>> password requisite pam_cracklib.so try_first_pass retry=3
>>>>>> password sufficient pam_unix.so md5 shadow nullok try_first_pass
>>>>>> use_authtok
>>>>>> password sufficient pam_ldap.so use_authtok
>>>>>> password required pam_deny.so
>>>>>>
>>>>>> session optional pam_keyinit.so revoke
>>>>>> session required pam_limits.so
>>>>>> session optional pam_keyinit.so revoke
>>>>>> session required pam_limits.so
>>>>>> session [success=1 default=ignore] pam_succeed_if.so service in
>>>>>> crond
>>>>>> quiet use_uid
>>>>>> session required pam_unix.so
>>>>>> session optional pam_ldap.so
>>>>>> -----------------------------------------------------------------------
>>>>>>
>>>>>> and* /etc/pam.d/login *
>>>>>>
>>>>>> #%PAM-1.0
>>>>>> auth [user_unknown=ignore success=ok ignore=ignore default=bad]
>>>>>> pam_securetty.so
>>>>>> auth include system-auth
>>>>>> account required pam_nologin.so
>>>>>> account include system-auth
>>>>>> password include system-auth
>>>>>> # pam_selinux.so close should be the first session rule
>>>>>> session required pam_selinux.so close
>>>>>> session include system-auth
>>>>>> session required pam_loginuid.so
>>>>>> session optional pam_console.so
>>>>>> # pam_selinux.so open should only be followed by sessions to be
>>>>>> executed
>>>>>> in the user context
>>>>>> session required pam_selinux.so open
>>>>>> session optional pam_keyinit.so force revoke
>>>>>> ~
>>>>>>
>>>>>> ----------------------------------------------------------------------------------
>>>>>>
>>>>>> what is the *uid of the user test01 in the FDS*
>>>>>>
>>>>>> uid is t01
>>>>>>
>>>>>> and under Posix user
>>>>>>
>>>>>> uid numbe =2223 (i manually gave this)
>>>>>> gid number=2223
>>>>>> home dire = /home/test
>>>>>> login shell=/bin/test
>>>>>>
>>>>>>
>>>>>> and then i create a directory with name "test" under /home
>>>>>> ...........eg.
>>>>>> mkdir /home/test
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Best Regards
>>>>>> --H
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jun 17, 2009 at 4:33 PM, jean-Noël Chardron
>>>>>> <Jean-Noel.Chardron at dr15.cnrs.fr
>>>>>> <mailto:Jean-Noel.Chardron at dr15.cnrs.fr>>
>>>>>> wrote:
>>>>>>
>>>>>> hi,
>>>>>>
>>>>>> ok , I suppose the ip adress of the server is 192.168.5.1 (right ?)
>>>>>> and you have a client (a centos 5.3) with unknow to us ip address.
>>>>>>
>>>>>> I suppose the nsswitch.conf and /etc/ldap.conf below is on the
>>>>>> client so it is correct
>>>>>>
>>>>>> Then can you show the files /etc/pam.d/system-auth and
>>>>>> /etc/pam.d/login that are on the client please
>>>>>>
>>>>>> then can you tell us what is the uid of the user test01 in the FDS
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hakuna Matata a écrit :
>>>>>>
>>>>>>
>>>>>> yes, my nsswitch.conf file is as below.
>>>>>> passwd: files ldap
>>>>>> shadow: files ldap
>>>>>> group: files ldap
>>>>>>
>>>>>> ethers: files
>>>>>> netmasks: files
>>>>>> networks: files
>>>>>> protocols: files
>>>>>> rpc: files
>>>>>> services: files
>>>>>>
>>>>>> netgroup: files ldap
>>>>>>
>>>>>> publickey: nisplus
>>>>>>
>>>>>> automount: files ldap
>>>>>> aliases: files nisplus
>>>>>>
>>>>>>
>>>>>> and /etc/ldap.conf file contains
>>>>>> uri ldap://192.168.5.1 <http://192.168.5.1> <http://192.168.5.1>
>>>>>>
>>>>>> ssl no
>>>>>> tls_cacertdir /etc/openldap/cacerts
>>>>>> pam_password md5
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ----i am still not able to authenticate.......
>>>>>>
>>>>>>
>>>>>> -best Regards
>>>>>> --H
>>>>>>
>>>>>> On Wed, Jun 17, 2009 at 12:21 PM, Dmitry Amirov
>>>>>> <amirov at infinet.ru <mailto:amirov at infinet.ru>
>>>>>> <mailto:amirov at infinet.ru <mailto:amirov at infinet.ru>>> wrote:
>>>>>>
>>>>>> Hello
>>>>>>
>>>>>> Is it ldap://ldap.vfds.local correct?
>>>>>> Please, try this command:
>>>>>>
>>>>>> ping ldap.vfds.local
>>>>>>
>>>>>> If pinging then try to use command getent to check that
>>>>>> ldap users are
>>>>>> present in your system.
>>>>>> getent passwd
>>>>>>
>>>>>> If not pinging, then you need to use FQDN or ip-address,
>>>>>> like this:
>>>>>>
>>>>>> ldap://1.2.3.4 <http://1.2.3.4> <http://1.2.3.4>
>>>>>> ldap://example.com <http://example.com> <http://example.com>
>>>>>>
>>>>>>
>>>>>>
>>>>>> Hakuna Matata wrote:
>>>>>> > Hi,
>>>>>> >
>>>>>> > I am new to FDS, i have set this up as per the
>>>>>> documentation . It is
>>>>>> > working fine .
>>>>>> > Now want that linux client (CentOS 5.3) to authenticate
>>>>>> with FDS.
>>>>>> >
>>>>>> > hostname of FDS = ldap.fds.local
>>>>>> >
>>>>>> > i create a user test01 and fill the posix information
>>>>>> >
>>>>>> > on client machine i am using system-config-authentiation
>>>>>> > 1. check the LDAP box and filled the details as .
>>>>>> > LDAP search base dn = dc=vfds,
>>>>>> dc=local
>>>>>> > LDAP Server =
>>>>>> ldap://ldap.vfds.local
>>>>>> >
>>>>>> > then i rebooted the machine and trying to login via user
>>>>>> test01. now
>>>>>> > it is showing error as username or password incorrect.
>>>>>> >
>>>>>> >
>>>>>> > i would really appreciate if someone can give me some
>>>>>> pointer or
>>>>>> help
>>>>>> > where i am doing wrong.
>>>>>> >
>>>>>> > Many Thanks in advance
>>>>>> > Best regards
>>>>>> > --H
>>>>>> >
>>>>>> > --
>>>>>> > 389 users mailing list
>>>>>> > 389-users at redhat.com <mailto:389-users at redhat.com>
>>>>>> <mailto:389-users at redhat.com <mailto:389-users at redhat.com>>
>>>>>>
>>>>>> >
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>> >
>>>>>>
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users at redhat.com <mailto:389-users at redhat.com>
>>>>>> <mailto:389-users at redhat.com <mailto:389-users at redhat.com>>
>>>>>>
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users at redhat.com <mailto:389-users at redhat.com>
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users at redhat.com <mailto:389-users at redhat.com>
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------
>>>>>>
>>>>>> --
>>>>>> 389 users mailing list
>>>>>> 389-users at redhat.com
>>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>> Jean-Noel Chardron
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> 389 users mailing list
>>>>> 389-users at redhat.com
>>>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>>>
>>>>
>>>>
>>>
>>> --
>>> 389 users mailing list
>>> 389-users at redhat.com
>>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>>
>>
>>
>> --
>> 389 users mailing list
>> 389-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/fedora-directory-users
>>
>
More information about the 389-users
mailing list