SOLVED: I added ldapns.schema to enable host based authentication and the users before the schema upgrade caused this caching to stop. I added a new user after the schema upgrade and all is well.
On Fri, Dec 3, 2010 at 12:58 PM, Anton Chu <[email protected]>wrote: > Here's the latest as to why I cannot ID my ldap user. I set up hostObject > attribute in my ldap server to enable host based authentication. I then > added the following in /etc/ldap.conf > > On the client side, simply modify /etc/pam_ldap.conf to include these > lines: > > pam_check_host_attr yes > pam_filter |(host=client_hostname)(host=*) > > > I've added the host attribute to all my ldap users to login certain hosts. > That's when I cannot id my ldap users. > > Somehow pam is not allowing caching when this host based authentication is > turned on. > > > > On Thu, Dec 2, 2010 at 2:26 PM, Anton Chu <[email protected]>wrote: > >> NSCD daemon is the culprit. Here's the error when I do id tony: >> >> [CODE] nscd -d >> Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received >> (Version = 2) from PID 14257 >> Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETFDPW >> Thu 02 Dec 2010 02:18:18 PM PST - 14248: provide access to FD 5, for >> passwd >> Thu 02 Dec 2010 02:18:18 PM PST - 14248: handle_request: request received >> (Version = 2) from PID 14257 >> Thu 02 Dec 2010 02:18:18 PM PST - 14248: GETPWBYNAME (tony) >> Thu 02 Dec 2010 02:18:18 PM PST - 14248: Haven't found "tony" in password >> cache! >> Thu 02 Dec 2010 02:18:24 PM PST - 14248: Reloading "nslcd" in password >> cache! >> Thu 02 Dec 2010 02:18:39 PM PST - 14248: remove GETPWBYNAME entry "tony" >> Thu 02 Dec 2010 02:18:50 PM PST - 14248: handle_request: request received >> (Version = 2) from PID 14258[/CODE]Here's my nscd.conf file: >> >> [CODE] >> cat /etc/nscd.conf | grep -v ^# | grep -v ^$ >> debug-level 0 >> paranoia no >> enable-cache passwd yes >> positive-time-to-live passwd 600 >> negative-time-to-live passwd 20 >> suggested-size passwd 211 >> check-files passwd yes >> persistent passwd yes >> shared passwd yes >> max-db-size passwd 33554432 >> auto-propagate passwd yes >> enable-cache group yes >> positive-time-to-live group 3600 >> negative-time-to-live group 60 >> suggested-size group 211 >> check-files group yes >> persistent group yes >> shared group yes >> max-db-size group 33554432 >> auto-propagate group yes >> enable-cache hosts no >> positive-time-to-live hosts 3600 >> negative-time-to-live hosts 20 >> suggested-size hosts 211 >> check-files hosts yes >> persistent hosts yes >> shared hosts yes >> max-db-size hosts 33554432 >> enable-cache services yes >> positive-time-to-live services 28800 >> negative-time-to-live services 20 >> suggested-size services 211 >> check-files services yes >> persistent services yes >> shared services yes >> max-db-size services 33554432 >> >> [/CODE] >> >> >> On Thu, Dec 2, 2010 at 1:15 PM, Anton Chu <[email protected]>wrote: >> >>> On another machine, tried this howto after purging the above above >>> packages. >>> >>> http://www.opinsys.fi/en/setting-up-...u-10-04-alpha2<http://www.opinsys.fi/en/setting-up-openldap-on-ubuntu-10-04-alpha2> >>> >>> sudo apt-get install libnss-ldapd libpam-ldapd >>> >>> Still the same outcome. I can ldapsearch, getent, etc. but id cannot show >>> the ldap users. >>> >>> here's my /etc/ldap.conf >>> >>> cat /etc/ldap.conf | grep -v ^# | grep -v ^$ >>> base dc=example,dc=com >>> uri ldap://10.112.18.2 >>> ldap_version 3 >>> bindpw secret >>> rootbinddn cn=admin,dc=example,dc=com >>> >>> >>> bind_policy soft >>> >>> pam_check_host_attr yes >>> pam_password md5 >>> nss_base_passwd ou=People,dc=example,dc=com >>> nss_base_shadow ou=People,dc=example,dc=com?one >>> nss_base_group ou=Groups,dc=example,dc=com?one >>> >>> >>> >>> >>> On Thu, Dec 2, 2010 at 9:00 AM, Anton Chu <[email protected]>wrote: >>> >>>> Ok here's what you suggested: >>>> >>>> r...@webtest111:/etc/pam.d# id tony >>>>> >>>>> id: tony: No such user >>>>> >>>> r...@webtest111:/etc/pam.d# getent passwd tony >>>>> r...@webtest111:/etc/pam.d# getent passwd | grep tony >>>>> tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash >>>>> r...@webtest111:/etc/pam.d# /etc/init.d/nscd stop >>>>> * Stopping Name Service Cache Daemon >>>>> nscd [ OK ] >>>>> r...@webtest111:/etc/pam.d# getent passwd | grep tony >>>>> tony:x:1005:10000:Tony Montana:/home/tony:/bin/bash >>>>> r...@webtest111:/etc/pam.d# getent passwd tony >>>>> r...@webtest111:/etc/pam.d# >>>>> >>>> >>>> I'll start a reinstall of the other packages instead of libnss-ldap and >>>> libpam-ldap. >>>> >>>> Thanks for the tips. >>>> >>>> Regards >>>> >>>> >>>> On Wed, Dec 1, 2010 at 11:48 PM, Buchan Milne < >>>> [email protected]> wrote: >>>> >>>>> On Wednesday, 1 December 2010 22:37:56 Anton Chu wrote: >>>>> > I've setup an Ubuntu 10.10 LDAP Client to authenticate off my LDAP >>>>> server. >>>>> > I've install the following: >>>>> > >>>>> > sudo apt-get install libpam-ldap libnss-ldap nss-updatedb libnss-db >>>>> > nscd ldap-utils pam_ccreds >>>>> > >>>>> > Here's my /etc/nsswitch.conf: >>>>> > >>>>> > passwd: files ldap [NOTFOUND=return] db >>>>> > >>>>> > > group: files ldap [NOTFOUND=return] db >>>>> > > >>>>> > > shadow: files ldap >>>>> > > >>>>> > > hosts: files dns >>>>> > > networks: files >>>>> > > >>>>> > > protocols: db files >>>>> > > services: db files >>>>> > > ethers: db files >>>>> > > rpc: db files >>>>> > >>>>> > I can nss_updatedb ldap succssfully: >>>>> > # nss_updatedb ldap >>>>> > passwd... done. >>>>> > group... done. >>>>> > >>>>> > I can getent passwd, getent passwd shadow, getent group just fine and >>>>> > they all show all my ldap users. >>>>> >>>>> Please compare these two: >>>>> >>>>> $ getent passwd |grep tony >>>>> $ getent passwd tony >>>>> >>>>> If the first succeeds (returns a line looking like /etc/passwd), and >>>>> the >>>>> second fails (returns nothing), then you probably have a negative cache >>>>> from >>>>> nscd. Stop nscd, and test again. >>>>> >>>>> > However, I cannot do an id ldapuser >>>>> > >>>>> > ex: >>>>> > $ id tony >>>>> > id: tony: No such user >>>>> >>>>> [...] >>>>> >>>>> > ID works just fine with my local users on my local machine so somehow >>>>> > it's not able to read the ldap users. >>>>> > >>>>> > Any insights appreciated. >>>>> >>>>> In some environments, I do use nss_ldap+nss_db/nss_updatedb+nscd, but >>>>> one of >>>>> the newer options (e.g. sssd) may be a better option. >>>>> >>>>> Regards, >>>>> Buchan >>>>> >>>> >>>> >>> >> >
