[SOLVED] PAM and LDAP on CentOS - please help

[Paulatia]

Hi everybody,

I still just cant manage to get Zimbra running with Samba and LDAP on a CentOS Server. This is what I get when I try to join the domain:

Code:

check_ntlm_password:  Checking password for unmapped user [VWL]\[chef]@[LAPTOP046] with the new password interface
[2010/04/01 16:43:08.284258,  3] auth/auth.c:219(check_ntlm_password)
  check_ntlm_password:  mapped user is: [VWL]\[chef]@[LAPTOP046]
[2010/04/01 16:43:08.284288,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/04/01 16:43:08.284309,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/04/01 16:43:08.284324,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/04/01 16:43:08.289579,  3] lib/smbldap.c:735(smb_ldap_start_tls)
  StartTLS issued: using a TLS connection
[2010/04/01 16:43:08.289618,  2] lib/smbldap.c:950(smbldap_open_connection)
  smbldap_open_connection: connection opened
[2010/04/01 16:43:08.290094,  3] lib/smbldap.c:1166(smbldap_connect_system)
  ldap_connect_system: successful connection to the LDAP server
[2010/04/01 16:43:08.290581,  2] passdb/pdb_ldap.c:572(init_sam_from_ldap)
  init_sam_from_ldap: Entry found for user: chef
[2010/04/01 16:43:08.290696,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2010/04/01 16:43:08.290714,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2010/04/01 16:43:08.290729,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2010/04/01 16:43:08.290788,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/04/01 16:43:08.290861,  0] passdb/pdb_get_set.c:212(pdb_get_group_sid)
  pdb_get_group_sid: Failed to find Unix account for chef
[2010/04/01 16:43:08.290880,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2010/04/01 16:43:08.290895,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2010/04/01 16:43:08.290908,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2010/04/01 16:43:08.290935,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/04/01 16:43:08.290973,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 2
[2010/04/01 16:43:08.290989,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 1
[2010/04/01 16:43:08.291003,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 2
[2010/04/01 16:43:08.291029,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/04/01 16:43:08.291052,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/04/01 16:43:08.291135,  3] smbd/sec_ctx.c:210(push_sec_ctx)
  push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2010/04/01 16:43:08.291171,  3] smbd/uid.c:429(push_conn_ctx)
  push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2010/04/01 16:43:08.291190,  3] smbd/sec_ctx.c:310(set_sec_ctx)
  setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/04/01 16:43:08.291211,  1] auth/auth_util.c:580(make_server_info_sam)
  User chef in passdb, but getpwnam() fails!
[2010/04/01 16:43:08.291232,  3] smbd/sec_ctx.c:418(pop_sec_ctx)
  pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2010/04/01 16:43:08.291247,  0] auth/auth_sam.c:490(check_sam_security)
  check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
[2010/04/01 16:43:08.291274,  3] auth/auth_winbind.c:54(check_winbind_security)
  check_winbind_security: Not using winbind, requested domain [VWL] was for this SAM.
[2010/04/01 16:43:08.291290,  2] auth/auth.c:314(check_ntlm_password)
  check_ntlm_password:  Authentication for user [chef] -> [chef] FAILED with error NT_STATUS_NO_SUCH_USER
[2010/04/01 16:43:08.291317,  3] smbd/error.c:80(error_packet_set)

I can create the LDAP users properly through the Zimbra Admin Interface without problems and see the whole structure correctly with a graphical tool like Ldapadmin.

The first question I am not really sure about: Do I actually NEED a Unix Account for the user? I assume I dont. From my understanding, PAM is configured to authorize against LDAP database.

I am running Zimbra on CentOS 5.4 64bit. I'm a little lost with the PAM configuration. Im not really sure whether I need to edit the /etc/pam.d/ files, or if I need to use authconfig with several options.

My /etc/pam.d/system-auth:

Code:

# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_ldap.so use_first_pass
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3
password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok
password    sufficient    pam_ldap.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_mkhomedir.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_ldap.so

authconfig --test gives me the following:

Code:

caching is enabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is enabled
 LDAP server = "ldap://myserver.xxx.yyy.de/"
 LDAP base DN = "dc=xxx,dc=yyy,dc=de"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "WORKGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
 shadow passwords are enabled
 password hashing algorithm is md5
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com:88"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled

 LDAP+TLS is enabled
 LDAP server = "ldap://myserver.xxx.yyy.de/"
 LDAP base DN = "dc=xxx,dc=yyy,dc=de"
pam_pkcs11 is disabled

 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignorieren"
pam_smb_auth is disabled
 SMB workgroup = "WORKGROUP"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "WORKGROUP"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
pam_access is disabled ()
pam_mkhomedir is enabled ()
Always authorize local users is enabled ()
Authenticate system accounts against network services is disabled

I have been working on this problem for days and weeks by now. I think I've read through 1,000 google results, but I still havent found any solution. So if anybody is familiar with this, I would really be happy if you could help me out!

[uxbod]

Why are you trying to join the domain as that is not necessary when using a LDAP backend. If you run

Code:

getent passwd

do you see the LDAP users ? You can also flush the cache with

Code:

nscd -i passwd

[Paulatia]

Ok, for some reason when I run getent passwd, I cant see the users anymore. I probably messed up the configuration now, as two hours ago it was still working. However, I could not su to the user I saw there that where created through the Zimbra Admin Console (the syntax of those users was user:*:...).

Im not really sure what you mean by why I am trying to join the domain. I am trying to log on from a windows computer with a Domain Admin to add the machine to the domain.

[uxbod]

Which guide are you following; and I will take a look see ?

[Paulatia]

Ok, getent passwd is running again, it shows me my user:

Code:

chef:*:1002:10002:DomainAdminTest:/home/chef:

I followed UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki

P.S.: When I do the ldapsearch, I can see my user "chef"

[Paulatia]

Ok, if noone has an answer, can soembody confirm that the fact that I can't even su to the user I can see when running getent passwd indicates that the error must be in PAM? When I try to su to my user "chef", I get the error "user unknown".

My /etc/pam.d/su looks like this:

Code:

#%PAM-1.0
auth            sufficient      pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            include         system-auth
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         optional        pam_xauth.so

Thanks for any help!

[Paulatia]

Ok, i finally solved it after checking all LDAP user logins.... I got high-security passwords for the users zimbra, zmposixroot and zmposix. It seems like the password for zmposix included one or more characters which didnt work. I switched the password to "test" and it works fine, switching it back to my $§/(&Q§)&%§)(-password causes the same problem again.

Thanks to everybody who spent time looking at this! Im really glad its finally working