[CentOS] nsswitch.conf, ldap, local groups problem

Thu Aug 28 00:41:50 UTC 2008
Mark Hennessy <mark at hennessy.cx>

Quoting Craig White <craigwhite at azapple.com>:

> On Wed, 2008-08-27 at 17:56 -0400, Mark Hennessy wrote:
>> Quoting Craig White <craigwhite at azapple.com>:
>
>> > well, it hardly makes any sense to use ldap for user accounts and start
>> > up with networking off but I would recommend that you adhere to the
>> > advice at the top of the file and run 'authconfig' or
>> > 'system-config-authentication', make sure the settings are correct
>> > (including checking the box for local authentication is sufficient) so
>> > that it configures not only /etc/pam.d/system-auth and nsswitch.conf
>>
>> Yes, I agree, it makes no sense to operate a machine with ldap
>> accounts if it has no network connection, but at least one should be
>> able to log in as root.  To clarify, here's the problem:
>> I have a machine.  In normal operation, the network connection is
>> non-functional and LDAP accounts are usable and everyone does their
>> thing over ssh.  If the network connection craps out, I can get into
>> the machine via serial console and try to find out what's going on,
>> perhaps switch to a different network connection, whatever.  If I
>> can't log in as root, my only recourse is to powercycle the machine
>> and go into single-user mode.  Now, multiply that by 100.  This is why
>> I need to get this working.
> ----
> sounds like you're trying to fix a symptom, not the problem.
>
> anyway, did you run authconfig/system-config-authentication ?

Yes, I did in fact run it.
here are the results:
authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com  
--enableldaptls  
--ldaploadcacert=file:///etc/openldap/cacerts/cacert.pem --test

caching is enabled
nss_files is always enabled
nss_compat is enabled
nss_db is disabled
nss_hesiod is disabled
  hesiod LHS = ""
  hesiod RHS = ""
nss_ldap is enabled
  LDAP+TLS is enabled
  LDAP server = "ldap.example.com"
  LDAP base DN = "dc=example,dc=com"
nss_nis is disabled
  NIS server = ""
  NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
  SMB workgroup = "WORKGROUP"
  SMB servers = ""
  SMB security = "user"
  SMB realm = ""
  Winbind template shell = "/bin/false"
  SMB idmap uid = "blah-blah"
  SMB idmap gid = "blah-blah"
nss_wins is disabled
pam_unix is always enabled
  shadow passwords are enabled
  md5 passwords are enabled
pam_krb5 is disabled
  krb5 realm = "EXAMPLE.COM"
  krb5 realm via dns is disabled
  krb5 kdc = "kerberos.example.com:88"
  krb5 kdc via dns is disabled
  krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled

  LDAP+TLS is enabled
  LDAP server = "ldap.example.com"
  LDAP base DN = "dc=example,dc=com"
pam_pkcs11 is disabled

  use only smartcard for login is disabled
  smartcard module = "coolkey"
  smartcard removal action = "Ignore"
pam_smb_auth is disabled
  SMB workgroup = "WORKGROUP"
  SMB servers = ""
pam_winbind is disabled
  SMB workgroup = "WORKGROUP"
  SMB servers = ""
  SMB security = "user"
  SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3 debug)
pam_passwdqc is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
These last two lines look interesting.

> Craig
>