[SOLVED] PAM and LDAP on CentOS

[SOLVED] PAM and LDAP on CentOS - please help

Hi everybody,

I still just cant manage to get Zimbra running with Samba and LDAP on a CentOS Server. This is what I get when I try to join the domain:

Code:

check_ntlm_password: Checking password for unmapped user [VWL]\[chef]@[LAPTOP046] with the new password interface [2010/04/01 16:43:08.284258, 3] auth/auth.c:219(check_ntlm_password) check_ntlm_password: mapped user is: [VWL]\[chef]@[LAPTOP046] [2010/04/01 16:43:08.284288, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/04/01 16:43:08.284309, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/04/01 16:43:08.284324, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/04/01 16:43:08.289579, 3] lib/smbldap.c:735(smb_ldap_start_tls) StartTLS issued: using a TLS connection [2010/04/01 16:43:08.289618, 2] lib/smbldap.c:950(smbldap_open_connection) smbldap_open_connection: connection opened [2010/04/01 16:43:08.290094, 3] lib/smbldap.c:1166(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2010/04/01 16:43:08.290581, 2] passdb/pdb_ldap.c:572(init_sam_from_ldap) init_sam_from_ldap: Entry found for user: chef [2010/04/01 16:43:08.290696, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/04/01 16:43:08.290714, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/04/01 16:43:08.290729, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/04/01 16:43:08.290788, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/04/01 16:43:08.290861, 0] passdb/pdb_get_set.c:212(pdb_get_group_sid) pdb_get_group_sid: Failed to find Unix account for chef [2010/04/01 16:43:08.290880, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/04/01 16:43:08.290895, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/04/01 16:43:08.290908, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/04/01 16:43:08.290935, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/04/01 16:43:08.290973, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2 [2010/04/01 16:43:08.290989, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 1 [2010/04/01 16:43:08.291003, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2 [2010/04/01 16:43:08.291029, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/04/01 16:43:08.291052, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/04/01 16:43:08.291135, 3] smbd/sec_ctx.c:210(push_sec_ctx) push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1 [2010/04/01 16:43:08.291171, 3] smbd/uid.c:429(push_conn_ctx) push_conn_ctx(0) : conn_ctx_stack_ndx = 0 [2010/04/01 16:43:08.291190, 3] smbd/sec_ctx.c:310(set_sec_ctx) setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1 [2010/04/01 16:43:08.291211, 1] auth/auth_util.c:580(make_server_info_sam) User chef in passdb, but getpwnam() fails! [2010/04/01 16:43:08.291232, 3] smbd/sec_ctx.c:418(pop_sec_ctx) pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0 [2010/04/01 16:43:08.291247, 0] auth/auth_sam.c:490(check_sam_security) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER' [2010/04/01 16:43:08.291274, 3] auth/auth_winbind.c:54(check_winbind_security) check_winbind_security: Not using winbind, requested domain [VWL] was for this SAM. [2010/04/01 16:43:08.291290, 2] auth/auth.c:314(check_ntlm_password) check_ntlm_password: Authentication for user [chef] -> [chef] FAILED with error NT_STATUS_NO_SUCH_USER [2010/04/01 16:43:08.291317, 3] smbd/error.c:80(error_packet_set)

I can create the LDAP users properly through the Zimbra Admin Interface without problems and see the whole structure correctly with a graphical tool like Ldapadmin.

The first question I am not really sure about: Do I actually NEED a Unix Account for the user? I assume I dont. From my understanding, PAM is configured to authorize against LDAP database.

I am running Zimbra on CentOS 5.4 64bit. I'm a little lost with the PAM configuration. Im not really sure whether I need to edit the /etc/pam.d/ files, or if I need to use authconfig with several options.

My /etc/pam.d/system-auth:

Code:

# This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account required pam_permit.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_ldap.so

authconfig --test gives me the following:

Code:

caching is enabled nss_files is always enabled nss_compat is disabled nss_db is disabled nss_hesiod is disabled hesiod LHS = "" hesiod RHS = "" nss_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://myserver.xxx.yyy.de/" LDAP base DN = "dc=xxx,dc=yyy,dc=de" nss_nis is disabled NIS server = "" NIS domain = "" nss_nisplus is disabled nss_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" Winbind template shell = "/bin/false" SMB idmap uid = "16777216-33554431" SMB idmap gid = "16777216-33554431" nss_wins is disabled pam_unix is always enabled shadow passwords are enabled password hashing algorithm is md5 pam_krb5 is disabled krb5 realm = "EXAMPLE.COM" krb5 realm via dns is disabled krb5 kdc = "kerberos.example.com:88" krb5 kdc via dns is disabled krb5 admin server = "kerberos.example.com:749" pam_ldap is enabled LDAP+TLS is enabled LDAP server = "ldap://myserver.xxx.yyy.de/" LDAP base DN = "dc=xxx,dc=yyy,dc=de" pam_pkcs11 is disabled use only smartcard for login is disabled smartcard module = "coolkey" smartcard removal action = "Ignorieren" pam_smb_auth is disabled SMB workgroup = "WORKGROUP" SMB servers = "" pam_winbind is disabled SMB workgroup = "WORKGROUP" SMB servers = "" SMB security = "user" SMB realm = "" pam_cracklib is enabled (try_first_pass retry=3) pam_passwdqc is disabled () pam_access is disabled () pam_mkhomedir is enabled () Always authorize local users is enabled () Authenticate system accounts against network services is disabled

I have been working on this problem for days and weeks by now. I think I've read through 1,000 google results, but I still havent found any solution. So if anybody is familiar with this, I would really be happy if you could help me out!

Why are you trying to join the domain as that is not necessary when using a LDAP backend. If you run

Code:

getent passwd

do you see the LDAP users ? You can also flush the cache with

Code:

nscd -i passwd

Ok, for some reason when I run getent passwd, I cant see the users anymore. I probably messed up the configuration now, as two hours ago it was still working. However, I could not su to the user I saw there that where created through the Zimbra Admin Console (the syntax of those users was user:*:...).

Im not really sure what you mean by why I am trying to join the domain. I am trying to log on from a windows computer with a Domain Admin to add the machine to the domain.

Which guide are you following; and I will take a look see ?

Ok, getent passwd is running again, it shows me my user:

Code:

chef:*:1002:10002:DomainAdminTest:/home/chef:

I followed UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki

P.S.: When I do the ldapsearch, I can see my user "chef"

Ok, if noone has an answer, can soembody confirm that the fact that I can't even su to the user I can see when running getent passwd indicates that the error must be in PAM? When I try to su to my user "chef", I get the error "user unknown".

My /etc/pam.d/su looks like this:

Code:

#%PAM-1.0 auth sufficient pam_rootok.so # Uncomment the following line to implicitly trust users in the "wheel" group. #auth sufficient pam_wheel.so trust use_uid # Uncomment the following line to require a user to be in the "wheel" group. #auth required pam_wheel.so use_uid auth include system-auth account sufficient pam_succeed_if.so uid = 0 use_uid quiet account include system-auth password include system-auth session include system-auth session optional pam_xauth.so

Thanks for any help!

Ok, i finally solved it after checking all LDAP user logins.... I got high-security passwords for the users zimbra, zmposixroot and zmposix. It seems like the password for zmposix included one or more characters which didnt work. I switched the password to "test" and it works fine, switching it back to my $§/(&Q§)&%§)(-password causes the same problem again.

Thanks to everybody who spent time looking at this! Im really glad its finally working :D