kde/kdm + nsswitch + ldap = nologon

Tim Judd tajudd at gmail.com
Sat Mar 7 09:57:39 PST 2009

On Sat, Mar 7, 2009 at 7:59 AM, Joe Kraft <jvk-list at thekrafts.org> wrote:

> I'm trying to implement SSO using Samba-3.2.4 with an LDAP backend.  The
> intent is to use ldap directly for FBSD clients and Samba for MS Windows
> clients.
> The LDAP server (openldap 2.4.11) is running on a FBSD 6.3 server and is
> setup and seems to be working fine, I can log in locally or through SSH
> using the ldap accounts.
> I'm working on the first client which is a FBSD 7.1 machine.  I can use
> ldap to login on this machine, but I'm having issues with logging in using
> kdm.  I can see all the users both from local files and from ldap, but I
> can't log in using either.  Even when kdm won't allow a login, I can
> <ctrl><alt><F8> and get a normal login shell and login with local or ldap
> accounts.  The ldap lines are included in my /etc/pam.d/kde file.
> If I remove ldap from the nsswitch.conf file it will start working with
> local logins on kdm again.
> I ran into a bug report from last summer that appears to still be open with
> exactly the same issue (http://www.freebsd.org/cgi/query-pr.cgi?pr=124321
> ).
> Does anyone know a workaround or have a patch for the issue?  I can provide
> config files and such if anyone thinks it might help.
> Thanks,
> Joe.

True SSO is accomplished by Kerberos.  Your LDAP implementation is
re-authenticating/re-authorizing on every service.

I'm by NO means an expert with pam -- it confuses me, but there are some
basic concepts that I think  there might be missing in your setup.

First question I've got is shouldn't you need to create the rules for kdm in
a file called 'kdm' in pam?

Second is that some options/arguments that pam can use such as
USE_FIRST_PASS would probably help you here.

Third is whether the sufficient/required column in the pam file is there.

Now we have to deal weather kdm uses pam or nsswitch.  And if it uses
nsswitch, then we have to go through all that troubleshooting all over
again.  Or maybe it doesn't even have any concept to use alternate auth
mechanisms other than just the local files...

I'm only providing an insight to something your eyes may have overlooked.

I hope this triggers something to get it working.  G'luck

More information about the freebsd-questions mailing list