Re: [SLE] Ldap authentication

16 Jan 2006

      Mark A. Taff wrote:
...
On Thursday 12 January 2006 18:50, Philip Washington wrote:
...
Has anybody solved the mystery of how to get LDAP authentication to work
with Suse 10.  We currently are using a samba PDC -with ldap back-end,
but we have not been able to get it to authenticate linux systems.  We
have been able to get it to work with Windows systems though.  I have
been googling and searching through this newsgroup and I've a number of
people with the same problem, but nobody with a solution.
Nope.  I gave up after a couple weeks trying.  I'll try again in a year or 
two. :-(
Mark
Following is the thread I started in linux.samba
John H Terpstra wrote:
...
On Sunday 15 January 2006 09:52, Philip Washington wrote:
...
I have set up a Samba PDC and am trying to get my linux computers to use
the PDC for authentication.  So far using Suse 10 or RHEL4 I have not
been able to accomplish this.  I have been searching for 2 days looking
for the information or the right combination of informationn and have
not come up with a solution.   Does anyone here know of a howto which
shows a setup for a linux desktop which can use a Samba PDC  so that
users in a Domain can use their same logins to login to a linux desktop.
Have you checked chapter 7, section 7.3.5.1? If you have, what 
problems are you experiencing? I'd really like to make sure that our 
documentation is correct, so your help would be appreciated.
http://www.samba.org/samba/docs/Samba3-ByExample.pdf
- John T.
Duh.  I bought the book but I didn't remember that part.    I went to 
the samba displayed in html form and checked the link and could have 
sworn it took me to the ADS portion.    Well nevermind this part, I just 
didn't pick up the book and look through it.

Okay what I accomplished today is getting the logins working via console 
and gdm xdm.

Things I found that may need correcting
The html page when clicking on the link points you to a file that 
references ldap.
passwd:   files ldap
shadow:   files ldap
group: files ldap

I may be mistaken but I believe that for winbind configuration you need 
winbind instead of ldap here.  I started with a straight Suse 10 setup 
with the files needed (I believe).  I used Yast2 for my initial 
configuration and that didn't work.  So I borrowed from your book and 
made some adjustments to the original files based on that.  I still have 
some problems but a domain user can now logon.
Problems I still have that I know of:
1) Users when logging in.  System does not create a home directory for 
them if it's there first time to login.  I think there is a PAM module 
or something like that, that might help, by getting and using there home 
directories from the file server.  If someone has a better idea and/or 
sees the mistake I made causing this  please  post.
2) Once a user logs in , they cannot browse the  network using the 
desktop application on Suse.  They can see Samba servers and shares, but 
when they click on a share they can't login.  Could something in the 
smb.conf file have done this?  I haven't looked at the Samba PDC logs, 
but I looked at the file server logs and saw no changes there, like my 
computer didn't exist.

Here are my configuration files.
nsswitch.conf------------------------------------------------------------------------------------------------ 

passwd: compat winbind
group:  compat winbind

hosts:  files dns
networks:       files dns

services:       files
protocols:      files
rpc:    files
ethers: files
netmasks:       files
netgroup:       files
publickey:      files

bootparams:     files
automount:      files nis
aliases:        files
smb.conf 
---------------------------------------------------------------------
# I modified the idmaps to match what is on my Samba PDC
#

[global]
       workgroup = DOMTEST
       printing = cups
       security = domain
       netbios name = WRKSTN
       log level = 1
       syslog = 0
       log file = /var/log/samba/%m
       smb ports = 139
       name resolve order = wins bcast hosts
       printcap name = cups
       printcap cache time = 750
       cups options = raw
       map to guest = Bad User
       idmap gid = 16777216-33554431
       idmap uid = 16777216-33554431
       template primary group = "Domain Users"
       template shell = /bin/bash
       winbind separator = +
       hosts allow = 192.168.5.,127.

--------------------------------------------------------------------
Okay here is where there is a slight deviation from the Samba3-examples 
(very slight, I think)
[For those following along, if your logged into X to mak changes to 
pam.d file .  Make changes to your pam.d file save them then hit 
Ctrl-Alt-F1 or Ctrl-Alt-F2, which will take you to a console screen.  
Once you are there make sure you can log in as root.  Hit Ctrl-Alt-F7 to 
get back to the X window.  If you are ssh into the system, create 
another ssh session before you start or try to make sure you can log in 
as root via ssh , before logging out of your current session.]  Whatever 
you do don't directly copy these files onto you r system.  Look at 
Samba3-examples and understand the differences here and change at your 
on risk
------------------------------------------------------------------------
/etc/pam.d/login
#%PAM-1.0
auth     required       pam_securetty.so
auth     include        common-auth
auth     required       pam_nologin.so
auth     required       pam_mail.so
account  include        common-account
password include        common-password
session  include        common-session
session  required       pam_resmgr.so
----------------------------------------------------------------------------- 

/etc/pam.d/common-auth
auth    sufficient      pam_unix2.so    nullok
auth    sufficient      pam_winbind.so use_first_pass use_authtok
auth    required        pam_env.so
#auth   required        pam_unix2.so
-------------------------------------------------------------------------------- 

/etc/pam.d/common-account
#
#account        required        pam_unix2.so
account sufficient      pam_unix2.so
account sufficient      pam_winbind.so use_first_pass use_authtok
------------------------------------------------------------------------------------ 

/etc/pam.d/common-passwd
password required       pam_pwcheck.so  nullok
password sufficient     pam_winbind.so  use_first_pass use_authtok
password required       pam_unix2.so    nullok use_first_pass use_authtok
#password required      pam_make.so     /var/yp

------------------------------------------------------------------------------------ 

.etc/pam.d/common-session
#
#account        required        pam_unix2.so
account sufficient      pam_unix2.so
account sufficient      pam_winbind.so use_first_pass use_authtok
---------------------------------------------------------------------------------------- 

Basically the changes were using an include file and you don't have to 
edit /etc/pam.d/gdm,
/etc/pam.d/xdm or /etc/pam.d/login, just the common-* files.  You can 
look at it as a way of setting up everything at once or screwing up 
everything at once :-) .

So I'll still continue to work on my issues noted and find some more, 
then work on RHEL and then circle back and try to do LDAP authentication 
through the ldap server on the SambaPDC.   I started with winbind 
because after looking around it seemed that it might be the easiest to 
configure and I need to get these desktops up pretty quick.