Results 1 to 7 of 7

Thread: [SOLVED] PAM and LDAP on CentOS - please help

Hybrid View

  1. #1
    Join Date
    Dec 2009
    Posts
    20
    Rep Power
    5

    Default [SOLVED] PAM and LDAP on CentOS - please help

    Hi everybody,

    I still just cant manage to get Zimbra running with Samba and LDAP on a CentOS Server. This is what I get when I try to join the domain:

    Code:
    check_ntlm_password:  Checking password for unmapped user [VWL]\[chef]@[LAPTOP046] with the new password interface
    [2010/04/01 16:43:08.284258,  3] auth/auth.c:219(check_ntlm_password)
      check_ntlm_password:  mapped user is: [VWL]\[chef]@[LAPTOP046]
    [2010/04/01 16:43:08.284288,  3] smbd/sec_ctx.c:210(push_sec_ctx)
      push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.284309,  3] smbd/uid.c:429(push_conn_ctx)
      push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2010/04/01 16:43:08.284324,  3] smbd/sec_ctx.c:310(set_sec_ctx)
      setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.289579,  3] lib/smbldap.c:735(smb_ldap_start_tls)
      StartTLS issued: using a TLS connection
    [2010/04/01 16:43:08.289618,  2] lib/smbldap.c:950(smbldap_open_connection)
      smbldap_open_connection: connection opened
    [2010/04/01 16:43:08.290094,  3] lib/smbldap.c:1166(smbldap_connect_system)
      ldap_connect_system: successful connection to the LDAP server
    [2010/04/01 16:43:08.290581,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
      init_sam_from_ldap: Entry found for user: chef
    [2010/04/01 16:43:08.290696,  3] smbd/sec_ctx.c:210(push_sec_ctx)
      push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
    [2010/04/01 16:43:08.290714,  3] smbd/uid.c:429(push_conn_ctx)
      push_conn_ctx(0) : conn_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.290729,  3] smbd/sec_ctx.c:310(set_sec_ctx)
      setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
    [2010/04/01 16:43:08.290788,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
      pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.290861,  0] passdb/pdb_get_set.c:212(pdb_get_group_sid)
      pdb_get_group_sid: Failed to find Unix account for chef
    [2010/04/01 16:43:08.290880,  3] smbd/sec_ctx.c:210(push_sec_ctx)
      push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
    [2010/04/01 16:43:08.290895,  3] smbd/uid.c:429(push_conn_ctx)
      push_conn_ctx(0) : conn_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.290908,  3] smbd/sec_ctx.c:310(set_sec_ctx)
      setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
    [2010/04/01 16:43:08.290935,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
      pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.290973,  3] smbd/sec_ctx.c:210(push_sec_ctx)
      push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
    [2010/04/01 16:43:08.290989,  3] smbd/uid.c:429(push_conn_ctx)
      push_conn_ctx(0) : conn_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.291003,  3] smbd/sec_ctx.c:310(set_sec_ctx)
      setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
    [2010/04/01 16:43:08.291029,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
      pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.291052,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
      pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2010/04/01 16:43:08.291135,  3] smbd/sec_ctx.c:210(push_sec_ctx)
      push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.291171,  3] smbd/uid.c:429(push_conn_ctx)
      push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2010/04/01 16:43:08.291190,  3] smbd/sec_ctx.c:310(set_sec_ctx)
      setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2010/04/01 16:43:08.291211,  1] auth/auth_util.c:580(make_server_info_sam)
      User chef in passdb, but getpwnam() fails!
    [2010/04/01 16:43:08.291232,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
      pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2010/04/01 16:43:08.291247,  0] auth/auth_sam.c:490(check_sam_security)
      check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
    [2010/04/01 16:43:08.291274,  3] auth/auth_winbind.c:54(check_winbind_security)
      check_winbind_security: Not using winbind, requested domain [VWL] was for this SAM.
    [2010/04/01 16:43:08.291290,  2] auth/auth.c:314(check_ntlm_password)
      check_ntlm_password:  Authentication for user [chef] -> [chef] FAILED with error NT_STATUS_NO_SUCH_USER
    [2010/04/01 16:43:08.291317,  3] smbd/error.c:80(error_packet_set)
    I can create the LDAP users properly through the Zimbra Admin Interface without problems and see the whole structure correctly with a graphical tool like Ldapadmin.

    The first question I am not really sure about: Do I actually NEED a Unix Account for the user? I assume I dont. From my understanding, PAM is configured to authorize against LDAP database.

    I am running Zimbra on CentOS 5.4 64bit. I'm a little lost with the PAM configuration. Im not really sure whether I need to edit the /etc/pam.d/ files, or if I need to use authconfig with several options.

    My /etc/pam.d/system-auth:

    Code:
    # This file is auto-generated.
    # User changes will be destroyed the next time authconfig is run.
    auth        required      pam_env.so
    auth        sufficient    pam_unix.so nullok try_first_pass
    auth        requisite     pam_succeed_if.so uid >= 500 quiet
    auth        sufficient    pam_ldap.so use_first_pass
    auth        required      pam_deny.so
    
    account     required      pam_unix.so broken_shadow
    account     sufficient    pam_localuser.so
    account     sufficient    pam_succeed_if.so uid < 500 quiet
    account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
    account     required      pam_permit.so
    
    password    requisite     pam_cracklib.so try_first_pass retry=3
    password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
    password    sufficient    pam_ldap.so use_authtok
    password    required      pam_deny.so
    
    session     optional      pam_keyinit.so revoke
    session     required      pam_limits.so
    session     optional      pam_mkhomedir.so
    session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
    session     required      pam_unix.so
    session     optional      pam_ldap.so
    authconfig --test gives me the following:
    Code:
    caching is enabled
    nss_files is always enabled
    nss_compat is disabled
    nss_db is disabled
    nss_hesiod is disabled
     hesiod LHS = ""
     hesiod RHS = ""
    nss_ldap is enabled
     LDAP+TLS is enabled
     LDAP server = "ldap://myserver.xxx.yyy.de/"
     LDAP base DN = "dc=xxx,dc=yyy,dc=de"
    nss_nis is disabled
     NIS server = ""
     NIS domain = ""
    nss_nisplus is disabled
    nss_winbind is disabled
     SMB workgroup = "WORKGROUP"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
     Winbind template shell = "/bin/false"
     SMB idmap uid = "16777216-33554431"
     SMB idmap gid = "16777216-33554431"
    nss_wins is disabled
    pam_unix is always enabled
     shadow passwords are enabled
     password hashing algorithm is md5
    pam_krb5 is disabled
     krb5 realm = "EXAMPLE.COM"
     krb5 realm via dns is disabled
     krb5 kdc = "kerberos.example.com:88"
     krb5 kdc via dns is disabled
     krb5 admin server = "kerberos.example.com:749"
    pam_ldap is enabled
    
     LDAP+TLS is enabled
     LDAP server = "ldap://myserver.xxx.yyy.de/"
     LDAP base DN = "dc=xxx,dc=yyy,dc=de"
    pam_pkcs11 is disabled
    
     use only smartcard for login is disabled
     smartcard module = "coolkey"
     smartcard removal action = "Ignorieren"
    pam_smb_auth is disabled
     SMB workgroup = "WORKGROUP"
     SMB servers = ""
    pam_winbind is disabled
     SMB workgroup = "WORKGROUP"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
    pam_cracklib is enabled (try_first_pass retry=3)
    pam_passwdqc is disabled ()
    pam_access is disabled ()
    pam_mkhomedir is enabled ()
    Always authorize local users is enabled ()
    Authenticate system accounts against network services is disabled
    I have been working on this problem for days and weeks by now. I think I've read through 1,000 google results, but I still havent found any solution. So if anybody is familiar with this, I would really be happy if you could help me out!

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Why are you trying to join the domain as that is not necessary when using a LDAP backend. If you run
    Code:
    getent passwd
    do you see the LDAP users ? You can also flush the cache with
    Code:
    nscd -i passwd

  3. #3
    Join Date
    Dec 2009
    Posts
    20
    Rep Power
    5

    Default

    Ok, for some reason when I run getent passwd, I cant see the users anymore. I probably messed up the configuration now, as two hours ago it was still working. However, I could not su to the user I saw there that where created through the Zimbra Admin Console (the syntax of those users was user:*:...).

    Im not really sure what you mean by why I am trying to join the domain. I am trying to log on from a windows computer with a Domain Admin to add the machine to the domain.

  4. #4
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    25

    Default

    Which guide are you following; and I will take a look see ?

  5. #5
    Join Date
    Dec 2009
    Posts
    20
    Rep Power
    5

    Default

    Ok, getent passwd is running again, it shows me my user:

    Code:
    chef:*:1002:10002:DomainAdminTest:/home/chef:
    I followed UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki

    P.S.: When I do the ldapsearch, I can see my user "chef"
    Last edited by Paulatia; 04-01-2010 at 09:55 AM.

  6. #6
    Join Date
    Dec 2009
    Posts
    20
    Rep Power
    5

    Default

    Ok, if noone has an answer, can soembody confirm that the fact that I can't even su to the user I can see when running getent passwd indicates that the error must be in PAM? When I try to su to my user "chef", I get the error "user unknown".

    My /etc/pam.d/su looks like this:

    Code:
    #%PAM-1.0
    auth            sufficient      pam_rootok.so
    # Uncomment the following line to implicitly trust users in the "wheel" group.
    #auth           sufficient      pam_wheel.so trust use_uid
    # Uncomment the following line to require a user to be in the "wheel" group.
    #auth           required        pam_wheel.so use_uid
    auth            include         system-auth
    account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
    account         include         system-auth
    password        include         system-auth
    session         include         system-auth
    session         optional        pam_xauth.so
    Thanks for any help!

  7. #7
    Join Date
    Dec 2009
    Posts
    20
    Rep Power
    5

    Default

    Ok, i finally solved it after checking all LDAP user logins.... I got high-security passwords for the users zimbra, zmposixroot and zmposix. It seems like the password for zmposix included one or more characters which didnt work. I switched the password to "test" and it works fine, switching it back to my $§/(&Q§)&%§)(-password causes the same problem again.

    Thanks to everybody who spent time looking at this! Im really glad its finally working

Similar Threads

  1. Zimbra and PAM LDAP?
    By JoshuaPrismon in forum Administrators
    Replies: 8
    Last Post: 04-30-2010, 11:02 AM
  2. ZCS 6.0 RC1 LDAP and PAM?
    By JPerry in forum Administrators
    Replies: 1
    Last Post: 08-15-2009, 01:21 PM
  3. [SOLVED] Zimbra logwatch.
    By nishith in forum Administrators
    Replies: 5
    Last Post: 06-10-2009, 05:42 PM
  4. Zimbra + Samba LDAP auth problems
    By fajarpri in forum Installation
    Replies: 3
    Last Post: 07-05-2007, 12:39 AM
  5. PAM LDAP with Zimbra directory
    By dileep in forum Administrators
    Replies: 3
    Last Post: 07-25-2006, 01:53 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •