Quote :

"Seriously. The server responds to requests, the users are all in there, ldapsearch works from any node just fine. In fact, I believe the clients are even partially authenticating against LDAP -- getent passwd returns the passwd table for users in LDAP, but it seems that it is still authenticating passwords against the local shadow file and getent shadow seems to return the local shadow on any given client. Several uids even conflict between ldap and shadow from where I merged the user databases, and they are reversed properly to the correct usernames, but on the fileserver where none of the LDAP users exist in the shadow file, nobody is able to logon. WTF'd."

---posted for a friend --- i have no clue

9/22/2008 2:30:34 PM

Has your friend configured PAM to authenticate against LDAP?

9/22/2008 2:40:51 PM

Quote :

"yes"

Quote :

" auth required pam_env.so auth required pam_unix.so try_first_pass likeauth nullok auth sufficient pam_ldap.so use_first_pass account sufficient pam_ldap.so account required pam_unix.so password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 try_first_pass retry=3 password sufficient pam_ldap.so use_authtok use_first_pass password required pam_unix.so try_first_pass use_authtok nullok md5 shadow session required pam_limits.so session required pam_env.so session required pam_unix.so session optional pam_ldap.so"

[Edited on September 22, 2008 at 2:48 PM. Reason : config]

Quote :

"I SEE THE PROBLEM HAHAHAHAHAHA my passworsd are md5 and I was trying to use crypt well I'm not sure, but maybe haha"

[Edited on September 22, 2008 at 2:50 PM. Reason : fixed?]

9/22/2008 2:47:38 PM

So, he's saying PAM and LDAP are setup properly on the fileserver as well, right?

He needs to make sure that Unix accounts DO NOT exist for any accounts/usernames (apart from root) he plans on having in LDAP.

Could your friend provide a detailed overview of his setup please?

9/22/2008 2:52:09 PM

FIXED!

Quote :

" yeah, tell 'em I just noticed though I meticulously prepared a passwd with all "user" accounts removed and all system/service accounts using assigned numbers ... I neglected to actually put it in place, hahahaha"

9/22/2008 3:01:57 PM

hah

that would certainly do it

9/22/2008 6:11:43 PM