Quoting Craig White <craigwhite at azapple.com>: > On Wed, 2008-08-27 at 17:56 -0400, Mark Hennessy wrote: >> Quoting Craig White <craigwhite at azapple.com>: > >> > well, it hardly makes any sense to use ldap for user accounts and start >> > up with networking off but I would recommend that you adhere to the >> > advice at the top of the file and run 'authconfig' or >> > 'system-config-authentication', make sure the settings are correct >> > (including checking the box for local authentication is sufficient) so >> > that it configures not only /etc/pam.d/system-auth and nsswitch.conf >> >> Yes, I agree, it makes no sense to operate a machine with ldap >> accounts if it has no network connection, but at least one should be >> able to log in as root. To clarify, here's the problem: >> I have a machine. In normal operation, the network connection is >> non-functional and LDAP accounts are usable and everyone does their >> thing over ssh. If the network connection craps out, I can get into >> the machine via serial console and try to find out what's going on, >> perhaps switch to a different network connection, whatever. If I >> can't log in as root, my only recourse is to powercycle the machine >> and go into single-user mode. Now, multiply that by 100. This is why >> I need to get this working. > ---- > sounds like you're trying to fix a symptom, not the problem. > > anyway, did you run authconfig/system-config-authentication ? Yes, I did in fact run it. here are the results: authconfig --enableldap --enableldapauth --ldapserver=ldap.example.com --enableldaptls --ldaploadcacert=file:///etc/openldap/cacerts/cacert.pem --test caching is enabled nss_files is always enabled nss_compat is enabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap.example.com" LDAP base DN = "dc=example,dc=com" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "blah-blah" SMB idmap gid = "blah-blah" nss_wins is disabled pam_unix is always enabled shadow passwords are enabled md5 passwords are enabled pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com:88" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com:749" pam_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap.example.com" LDAP base DN = "dc=example,dc=com" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignore" pam_smb_auth is disabled SMB workgroup = "WORKGROUP" SMB servers = "" pam_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_cracklib is enabled (try_first_pass retry=3 debug) pam_passwdqc is disabled () Always authorize local users is disabled () Authenticate system accounts against network services is disabled ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ These last two lines look interesting. > Craig >