Log inUsernamePassword
Log me on automatically each visit    
Register
Register
Log in to check your private messages
Log in to check your private messages
SMS Forum Index » SMS User Support

Post new topic   Reply to topic
OpenLDAP users created with smbldap-useradd Not Able to auth
View previous topic :: View next topic  
Author Message
Cheikh
Member


Joined: 11 Jun 2011
Posts: 25

PostPosted: Mon Oct 29, 2012 2:09 am    Post subject: OpenLDAP users created with smbldap-useradd Not Able to auth Reply with quote

I have been testing samba, smbldap-tools, OpenLDAP, and nss-pam-ldapd on SMS-2.0 x86 everything seems to be in place but user authentication is not working and I dont know what I need to change to get authentication working correctly. smbldap-useradd is able to add users correctly to the LDAP server but said users are not able to authenticate locally or through ssh. For example when I create a test ldap user with:
:~# smbldap-useradd -m ldapuser its home directory is created under /home/ldapuser
the following command: returns the correct output
:~# getent passwd ldapuser
ldapuser:*:1551:100:System User:/home/ldapuser:/bin/bash

when I do su - ldapuser
:~$ su - ldapuser
Password:
su: Authentication failure

I have changed my /etc/nsswitch.conf to lookup in the LDAP database. I suspect it may have to do with the password mechanism passed between the client and the server but I dont know what to change to have them talk successfully. Some google search shows I need to put in slapd.conf
password-hash {CRYPT}
password-crypt-salt-format "%.2s"

I have made similar changes to smbldap.conf with no success
and change /etc/login.defs
ENCRYPT_METHOD to SHA512 instead of the default SHA256

Please assist if you need more details I will provide them.
Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Mon Oct 29, 2012 11:19 am    Post subject: Reply with quote

I didn't quite understand what you want to do, but samba and smbldap-tools is for creating virtual users for accessing samba, so the "su" command ain't going to work with those users.
Also to be able to "su" user needs a password, so doing "passwd ldapuser" might help.

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Cheikh
Member


Joined: 11 Jun 2011
Posts: 25

PostPosted: Mon Oct 29, 2012 7:25 pm    Post subject: Reply with quote

What I am trying to do is create system user account in LDAP using smbldap-useradd and smbldap-passwd. Please note the virtual test account I created is working as expected with samba there is no issue there, but trying to use the same user to login locally isn't working. If this is not supposed to happen this way the attached guide I am using is wrong page 19. Also I notice this service rc.nss-pam-ldapd does not start on boot.

Thanks



smbldap-howto.pdf
 Description:
Howto Guide I am using for this setup. Please check page 19 all steps previous to that have worked.

Download
 Filename:  smbldap-howto.pdf
 Filesize:  480.6 KB
 Downloaded:  9989 Time(s)

Back to top
View user's profile Send private message
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Tue Oct 30, 2012 3:42 pm    Post subject: Reply with quote

If it's written it should work, or at list worked in the past I, try a similar test configuration based on default SMS setup, and get authentication failure from one user to another.
I also tried lowering the encryption to {CRYPT} in both openldap and shadow but didn't worked.

SASL though working, so I haven't try to use SASL to authenticate for a unix login...

I upgrade samba, smbldap-tools and nss-pam-ldap packages and fix nss-pam-ldap script, and will upload later today.

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
gerasimos_h
Site Admin


Joined: 09 Aug 2007
Posts: 1757
Location: Greece

PostPosted: Wed Oct 31, 2012 4:31 pm    Post subject: Reply with quote

OK! I spend a little time, and manage to see what the problem is..
For this to work you need to switch to pam authentication by installing (upgradepkg) util-linux in /extra/pam/.
You also need to edit /etc/pam.conf or adding /etc/pam.d/(service) for each service (sshd, su, login e.t.c)
A working config should look like that
Code:
auth     required        pam_securetty.so
auth     required        pam_nologin.so
auth     sufficient      pam_ldap.so
auth     required        pam_unix.so try_first_pass

account  sufficient      pam_ldap.so
account  required        pam_unix.so

password required        pam_ldap.so

session  sufficient      pam_ldap.so
session  required        pam_unix.so


If you are going to add those config for sshd you need to remove
auth required pam_securetty.so
or add "ssh" in /etc/securetty for root user.

Also for ssh to work you need a built of openssh with pam support and enable it in /etc/ssh/sshd_config by uncomment
UsePam yes

I'll add openssh with pam support in /extra/pam too.

gerasimos_h

_________________
Superb! Mini Server Project Manager
http://sms.it-ccs.com
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   
Post new topic   Reply to topic    SMS Forum Index » SMS User Support All times are GMT + 2 Hours
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum

SMS - Superb! Mini Server Project © 2016
Powered by phpBB © 2001, 2002 phpBB Group
iCGstation v1.0 Template By Ray © 2003, 2004 iOptional