[Samba] simple LDAP question
Bruno Gimenes Pereti
pereti at ump.edu.br
Thu Aug 29 08:57:01 GMT 2002
Thank´s IOhannes and Adam.
First of all, sorry for the html e-mail I sent.
Now I´ll try to show my situation. I work on a small Univerity that is
growing. Now I have 2 samba servers running independently, the students
don´t have account, the theachers uses one server in their classes and the
employers uses the other one.
The server are now running with the default smbpasswd file.
I intend to autenticate students, teachers and employers in samba with LDAP,
and teachers and employers would autenticate in other services like pop.
With that I can explain what I did til now. I´m trying OpenLDAP and NDS for
Linux (novell). All the work I did was over the LDAP installed with NDS. I
have the extended classes posixAccount, posixGroup and shadowAccount in my
schema (I don´t have the samba schema yet). My /etc/ldap.conf is:
host 127.0.0.1
base o=Local
pam_member_attribute member
pam_password nds
ssl no
What I understood of the pam files is that all them call the system-auth
(/lib/security/pam_stack.so service=system-auth). I edited this file
(/etc/pam.d/system-auth) like this:
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_ldap.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
use_first_pass
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_ldap.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_ldap.so
password sufficient /lib/security/pam_unix.so nullok use_authtok md5
shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session sufficient /lib/security/pam_ldap.so
session required /lib/security/pam_unix.so
And this is the part of /etc/nsswitch.conf I edited:
passwd: files ldap
shadow: files ldap
group: files ldap
With this user in LDAP:
[root at test /]# ldapsearch -x uid=bruno
version: 2
#
# filter: uid=bruno
# requesting: ALL
#
# bruno,Local
dn: cn=bruno,o=Local
uid: bruno
sn: bruno
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: ndsLoginProperties
objectClass: top
objectClass: posixAccount
objectClass: posixGroup
objectClass: shadowAccount
I tried to login in the console but I got this error in /var/log/messages:
Aug 29 14:39:44 test login(pam_unix)[893]: session opened for user bruno by
LOGIN(uid=0)
Aug 29 14:39:44 test login[893]: Cannot make/remove an entry for the
specified session
When I created the user in linux it started to work, with the password
stored in the LDAP.
Well, this is my situation...
What should I do now to make it work without the local user?
Thank´s.
Bruno.
> Bruno Gimenes Pereti wrote:
> > Hi,
> hi you !
>
> >
> > I´m new to LDAP and pam. Do I need to the user in /etc/passwd and
> > /etc/shadow to autenticate a user in the sistem or in the PDC?
>
> weird, what do you intend to use LDAP for ?
> this question seems to me like "i am new to guns. do i need a club to
> kill someone?"
>
> no, you don't need /etc/passwd and /etc/shadow when using LDAP (you
> might even want to throw it away, but rather not. if your ldap-server
> fails, against whom do you want to authenticate then ?)
>
> mfg.cds.adr
> peaceloving IOhannes
More information about the samba
mailing list