[CentOS] nsswitch.conf, ldap, local groups problem
Mark Hennessy
mark at hennessy.cx
Thu Aug 28 00:41:50 UTC 2008
Quoting Craig White <craigwhite at azapple.com>:
> On Wed, 2008-08-27 at 17:56 -0400, Mark Hennessy wrote:
>> Quoting Craig White <craigwhite at azapple.com>:
>
>> > well, it hardly makes any sense to use ldap for user accounts and start
>> > up with networking off but I would recommend that you adhere to the
>> > advice at the top of the file and run 'authconfig' or
>> > 'system-config-authentication', make sure the settings are correct
>> > (including checking the box for local authentication is sufficient) so
>> > that it configures not only /etc/pam.d/system-auth and nsswitch.conf
>>
>> Yes, I agree, it makes no sense to operate a machine with ldap
>> accounts if it has no network connection, but at least one should be
>> able to log in as root. To clarify, here's the problem:
>> I have a machine. In normal operation, the network connection is
>> non-functional and LDAP accounts are usable and everyone does their
>> thing over ssh. If the network connection craps out, I can get into
>> the machine via serial console and try to find out what's going on,
>> perhaps switch to a different network connection, whatever. If I
>> can't log in as root, my only recourse is to powercycle the machine
>> and go into single-user mode. Now, multiply that by 100. This is why
>> I need to get this working.
> ----
> sounds like you're trying to fix a symptom, not the problem.
>
> anyway, did you run authconfig/system-config-authentication ?
Yes, I did in fact run it.
here are the results:
authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com
--enableldaptls
--ldaploadcacert=file:///etc/openldap/cacerts/cacert.pem --test
caching is enabled
nss_files is always enabled
nss_compat is enabled
nss_db is disabled
nss_hesiod is disabled
hesiod LHS = ""
hesiod RHS = ""
nss_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap.example.com"
LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
NIS server = ""
NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
SMB workgroup = "WORKGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
Winbind template shell = "/bin/false"
SMB idmap uid = "blah-blah"
SMB idmap gid = "blah-blah"
nss_wins is disabled
pam_unix is always enabled
shadow passwords are enabled
md5 passwords are enabled
pam_krb5 is disabled
krb5 realm = "EXAMPLE.COM"
krb5 realm via dns is disabled
krb5 kdc = "kerberos.example.com:88"
krb5 kdc via dns is disabled
krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled
LDAP+TLS is enabled
LDAP server = "ldap.example.com"
LDAP base DN = "dc=example,dc=com"
pam_pkcs11 is disabled
use only smartcard for login is disabled
smartcard module = "coolkey"
smartcard removal action = "Ignore"
pam_smb_auth is disabled
SMB workgroup = "WORKGROUP"
SMB servers = ""
pam_winbind is disabled
SMB workgroup = "WORKGROUP"
SMB servers = ""
SMB security = "user"
SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3 debug)
pam_passwdqc is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These last two lines look interesting.
> Craig
>
More information about the CentOS
mailing list