[Pkg-openldap-devel] Trying to build a summary on LDAP/Samba/PAM/... strangeness...
Marco Gaiarin
gaio at sv.lnf.it
Tue May 15 09:43:18 UTC 2007
Sorry for this mail, but i've experienced a bit with
samba/smabldap-tools/ldap/pam... with sarge, and now, migrating to
edgy, i'm triying to do some cleanup.
Setting up a stable and efficient system i've found some minor drawback
that i don't feel comfident to log as bug.
Or at least i don't know exactly the package was responsible of the
bug. ;)
This message are sent to slapd, smbldap-tools, libpam-ldap/libnss-ldap
mantainers. I think that the debian wiki need some minor tweak, but
first i need to track down some problem before trying to edit it.
Some words on me: i'm a sysadmin from north-est italy that work for a
non profit organization aimed to take care of disabled children.
We manage directly 4 samba/smbldap/openldap installation and i'm
consultant for another dozen of it, all debian based, all are migrating
to edgy.
All start from this:
http://wiki.debian.org/PAMLDAPSetup
[WOW! libpam_ldap are not needed, cool!!!].
This setup work flawlessy, and i've tested on an environment (my home
server machine, that have no samba stuff but only posix).
In a perfectly-windows environment this is really cool, tipically in
these environment you use windows to change the pass, so it is
possible to simply uninstall libpam-ldap and forgot about it.
Trying to do the same things with work setup (samba and smbldap-tools),
lead to impossibility to login.
Password in windows work with no problem at all, but there's no way to
login (console, ssh, ...).
After fiddling a bit with all this stuff i've found the culprit: if in
smbldap-tools i put hash_encrypt to something different from "CRYPT"
(and i think CLEARTEXT, but clearly it is not the case ;) login are
impossible.
I've done this tests:
+ tried all combination of (S)MD5, (S)SHA
+ as above, but using slappasswd insted of internal perl logic
Only CRYPT work; note that if i setup libpam-ldap to change password, i
can put on /etc/pam_ldap.conf whatever algorithm i choose an all work.
So my first sentence/question:
1) seems that smbldap-tools (but also slappasswd) generate a
userPassword field that it is incompatible with the default auth
schema (eg, pam_unix/nss).
Note that if i load and configure libpam_ldap, password start to work
(clearly i opted for this setup), so seems that is the default pam_unix
'nss fallback' (really, i don't know how to name this ;) that does not
work with ldap password, not all the stuff that does not work.
Summarizing:
used by: pam_unix/nss libpam_ldap
pass generated by:
libpam_ldap ALL(*) ALL
smbldap-tools/ldappasswd CRYPT ALL
(*) really, i've tested only crypt and MD5.
I've found also a minor drawback of the proposed configuration in
/usr/share/doc/libpam-ldap/README.Debian , and the drawbacks are
exactly caused by this 'bug'. Second question.
2) In this setup every login are tried first with pam_unix and then, if and
only if fail, passed to pam_ldap.
But the first try are a 'full try', eg pam_unix use nss to check
password against 'system database', and fail because password are
incompatible (as stated in 1).
You can see your auth.log full of:
May 15 09:44:43 sdinny sshd[5171]: (pam_unix) authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=harry.sv.lnf.it user=massimo
and this is really annoying, expecially if you have to track down (eg,
with logcheck) really failed logins.
I'm thinking about swapping pam_unix and pam_ldap in this setup (eg,
every login are tried first with ldap and then, only if failed, with
pam_unix, but clearly this could lead to some minor trouble (timeout)
if ldap server are down and i need to login as root to fix it. ;)
Last question are really minor, or at least can be safely logged to
debian BTS, but i'm here...
3) In /usr/share/doc/smbldap-tools/README.Debian.gz it is missed to say
that a 'sub' indices have (it is required!) to be setup for samba on
sambaSID filed. So:
index sambaSID eq,sub
and not simply:
index sambaSID eq
as stated. See samba changelog (for release 3.0.23) for more info.
I hope i was sufficiently clear. Many thanks to all.
--
dott. Marco Gaiarin GNUPG Key ID: 240A3D66
Associazione ``La Nostra Famiglia'' http://www.sv.lnf.it/
Polo FVG - Via della Bontà, 7 - 33078 - San Vito al Tagliamento (PN)
marco.gaiarin(at)sv.lnf.it tel +39-0434-842711 fax +39-0434-842797
More information about the Pkg-openldap-devel
mailing list