Quoting Craig White craigwhite@azapple.com:
On Wed, 2008-08-27 at 17:56 -0400, Mark Hennessy wrote:
Quoting Craig White craigwhite@azapple.com:
well, it hardly makes any sense to use ldap for user accounts and start up with networking off but I would recommend that you adhere to the advice at the top of the file and run 'authconfig' or 'system-config-authentication', make sure the settings are correct (including checking the box for local authentication is sufficient) so that it configures not only /etc/pam.d/system-auth and nsswitch.conf
Yes, I agree, it makes no sense to operate a machine with ldap accounts if it has no network connection, but at least one should be able to log in as root. To clarify, here's the problem: I have a machine. In normal operation, the network connection is non-functional and LDAP accounts are usable and everyone does their thing over ssh. If the network connection craps out, I can get into the machine via serial console and try to find out what's going on, perhaps switch to a different network connection, whatever. If I can't log in as root, my only recourse is to powercycle the machine and go into single-user mode. Now, multiply that by 100. This is why I need to get this working.
sounds like you're trying to fix a symptom, not the problem.
anyway, did you run authconfig/system-config-authentication ?
Yes, I did in fact run it. here are the results: authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --enableldaptls --ldaploadcacert=file:///etc/openldap/cacerts/cacert.pem --test
caching is enabled nss_files is always enabled nss_compat is enabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap.example.com" LDAP base DN = "dc=example,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "blah-blah" SMB idmap gid = "blah-blah" nss_wins is disabled pam_unix is always enabled shadow passwords are enabled md5 passwords are enabled pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com:88" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com:749" pam_ldap is enabled
LDAP+TLS is enabled LDAP server = "ldap.example.com" LDAP base DN = "dc=example,dc=com" pam_pkcs11 is disabled
use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_smb_auth is disabled SMB workgroup = "WORKGROUP" SMB servers = "" pam_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_cracklib is enabled (try_first_pass retry=3 debug) pam_passwdqc is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ These last two lines look interesting.
Craig