Problems combining nss_ldap/pam_ldap with pam_mkhomedir in FreeBSD 7.0

Daniel Bond db at danielbond.org
Mon Mar 17 09:29:51 PDT 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

we use a large number of servers with centralized user-accounts in LDAP
for ease of administration. The machines bind to LDAPv3 with TLS, and
PAM accepts logins for ssh checking groupdn. This has been working great
in FreeBSD 4.x, 5.x and 6.x, but while setting this up in FreeBSD
7.0-RELEASE (amd64) I ran into a few problems (tested on two machines).
I've only used portsnap and portinstall to install packages (no pkg_add
etc). I've also tried to recompile nss_ldap/pam_ldap/openldap-client and
updating ldconfig.

Brief description (config files etc further down):
- -----

First I setup nss_ldap to list the users with "getent passwd", then I
edited /etc/pam.d/sshd to allow logins. I *can login*, but in
/var/log/auth.log I see one entry per login:

Mar 17 16:36:05 webmail sshd[98863]: nss_ldap: could not get LDAP result
- - Can't contact LDAP server

Well, OK. I am logged in now.


Time to break the setup (adding pam_mkhomedir):
- -----

This is how my /etc/pam.d/sshd file looks like:

# auth
auth           sufficient      pam_opie.so    no_warn no_fake_prompts
auth           requisite       pam_opieaccess.so    no_warn allow_local
auth            sufficient      /usr/local/lib/pam_ldap.so no_warn debug
auth            required        pam_unix.so       no_warn try_first_pass


account   required        pam_nologin.so
#account  required /usr/local/lib/pam_ldap.so ignore_authinfo_unavail
debug #usually enabled to enforce pam_groupdn in ldap.conf
account   required        pam_login_access.so
account   required        pam_unix.so


# session
session         required        pam_permit.so
#session                required        /usr/local/lib/pam_mkhomedir.so
skel=/etc/skel/sshd umask=0077

# password
password        required        pam_unix.so             no_warn
try_first_pass




Now, if I uncomment the line with pam_mkhomedir.so on it, logins stop to
work. In /var/log/auth.log I now see two lines appearing:

Mar 17 16:46:40 webmail sshd[98923]: nss_ldap: could not search LDAP
server - Server is unavailable
Mar 17 16:46:40 webmail sshd[98923]: error: PAM: pam_open_session():
error in service module

I think this might be a problem in the PADL pam_ldap package, because I
see some suspicious warnings while building it:

cc -DHAVE_CONFIG_H   -DLDAP_REFERRALS -DLDAP_DEPRECATED -DPIC
- -D_REENTRANT  -I/usr/local/include  -O2 -fno-strict-aliasing -pipe
- -Wall -fPIC -c pam_ldap.c
pam_ldap.c: In function '_get_user_info':
pam_ldap.c:2726: warning: passing argument 4 of
'_get_long_integer_value' from incompatible pointer type
pam_ldap.c: In function '_pam_ldap_get_session':
pam_ldap.c:2741: warning: passing argument 3 of 'pam_get_data' from
incompatible pointer type
pam_ldap.c: In function 'pam_sm_open_session':
pam_ldap.c:3400: warning: passing argument 3 of 'pam_get_data' from
incompatible pointer type
pam_ldap.c: In function 'pam_sm_chauthtok':
pam_ldap.c:3466: warning: passing argument 3 of 'pam_get_data' from
incompatible pointer type
pam_ldap.c:3477: warning: passing argument 3 of 'pam_get_data' from
incompatible pointer type
pam_ldap.c:3619: warning: passing argument 3 of 'pam_get_data' from
incompatible pointer type
pam_ldap.c: In function 'pam_sm_acct_mgmt':
pam_ldap.c:3860: warning: passing argument 3 of 'pam_get_data' from
incompatible pointer type


If I add pam_mkhomedir.so to /etc/pam.d/su, I can su - <ldapuser> and it
creates my homedir.

~From ktracing it dosn't seem like sshd/pam isn't finding anything (well,
it's not finding nss_dns.so, but I'm guessing that's not important).

Has the PAM interface changed any in 7.0? Can anyone point me in the
right direction to where the problem is, and how I can fix it (I don't
know PAM internals and I'm not a great C-coder, but I'll give it a shot) ?

I'm pretty sure my ldap.conf and nsswitch.conf are OK, but here they are
anyway:


/usr/local/etc/nss_ldap.conf -> openldap/ldap.conf
/usr/local/etc/ldap.conf -> openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

base    dc=nsn, dc=no
HOST    1.slave.1881.int.nsn.no master.1881.int.nsn.no

port 389
ldap_version 3
bind_policy soft

binddn  cn=unix7813,ou=sysusers,dc=nsn,dc=no
bindpw  <secret>

ssl     start_tls
pam_filter      objectclass=posixAccount
pam_groupdn    cn=mx-servers,ou=ssh-access,ou=groups,dc=nsn,dc=no
pam_member_attribute member
pam_password exop
nss_base_passwd ou=nsnasa,ou=people,dc=nsn,dc=no
nss_base_shadow ou=nsnasa,ou=people,dc=nsn,dc=no
nss_base_group  ou=posixgroups,ou=groups,dc=nsn,dc=no
tls_checkpeer no
TLS_REQCERT allow



/etc/nsswitch.conf:

group: files ldap
hosts: files dns
networks: files
passwd: files ldap
group_compat: nis
passwd_compat: nis
shells: files
services: files
protocols: files
rpc: files


I've tried a lot of different setups in this file, reversing orders,
using *_compat etc..

So, If anyone has any theories, or something that can point me in any
direction, I will greatly appreciate it. If I posted it to wrong forum,
please point me to the correct/optimal forum.

Otherwize I'm pleased to see the impressive new performance in 7.0, and
better support for IBM Bladeservers and Qlogic 4gig FC-controllers :-)
Great release!


Thanks in advance.


Kind regards,


Daniel Bond.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFH3pY3UR3pKhqN0EoRAiedAJ0UK99P265XutZKb5dY5TY4siwfMgCeNDJs
6buxnV3WFV/G2cs6reBg0c0=
=kVlJ
-----END PGP SIGNATURE-----

More information about the freebsd-stable mailing list