Skip to main content

Thread: NSCD/LDAP Offline Authorization Problems

-

i'm setting kerberos , ldap on network, , able have machines authentication/authorization offline. have not been able work, , have problem narrowed down ldap. here in /var/log/auth.log on client when try log in via ssh, ldap server stopped:

code:
jan  2 00:39:23 client sshd[3050]: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:39:23 client sshd[3050]: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:39:23 client sshd[3050]: nss_ldap: reconnecting ldap server...  jan  2 00:39:23 client sshd[3050]: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:39:23 client sshd[3050]: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:39:23 client sshd[3050]: nss_ldap: reconnecting ldap server (sleeping 1 seconds)...  jan  2 00:39:24 client sshd[3050]: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:39:24 client sshd[3050]: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:39:24 client sshd[3050]: nss_ldap: not search ldap server - server unavailable  jan  2 00:39:24 client sshd[3050]: pam_ldap: ldap_simple_bind can't contact ldap server  jan  2 00:39:24 client sshd[3050]: pam_ldap: reconnecting ldap server...  jan  2 00:39:24 client sshd[3050]: pam_ldap: ldap_simple_bind can't contact ldap server  jan  2 00:39:24 client sshd[3050]: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:39:24 client sshd[3050]: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:39:24 client sshd[3050]: nss_ldap: reconnecting ldap server...  jan  2 00:39:24 client sshd[3050]: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:39:24 client sshd[3050]: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:39:24 client sshd[3050]: nss_ldap: reconnecting ldap server (sleeping 1 seconds)...  jan  2 00:39:25 client sshd[3050]: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:39:25 client sshd[3050]: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:39:25 client sshd[3050]: nss_ldap: not search ldap server - server unavailable  jan  2 00:39:25 client sshd[3050]: pam_ldap: ldap_simple_bind can't contact ldap server  jan  2 00:39:25 client sshd[3050]: pam_ldap: reconnecting ldap server...  jan  2 00:39:25 client sshd[3050]: pam_ldap: ldap_simple_bind can't contact ldap server  jan  2 00:39:25 client sshd[3050]: failed password krbtest 192.168.1.50 port 44792 ssh2  jan  2 00:40:10 client nscd: nss_ldap: reconnecting ldap server...  jan  2 00:40:10 client nscd: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:40:10 client nscd: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:40:10 client nscd: nss_ldap: reconnecting ldap server (sleeping 1 seconds)...  jan  2 00:40:12 client nscd: nss_ldap: not connect ldap server (null) - can't contact ldap server  jan  2 00:40:12 client nscd: nss_ldap: failed bind ldap server ldap://server/: can't contact ldap server  jan  2 00:40:12 client nscd: nss_ldap: not search ldap server - server unavailable
with ldap server started can log in ldap user fine, , don't see of this. appears nscd isn't caching anything, or isn't giving pam credentials needs.

here configuration files client

/etc/pam.d/common-auth:
code:
#  # /etc/pam.d/common-auth - authentication settings common services  #  # file included other service-specific pam config files,  # , should contain list of authentication modules define  # central authentication scheme use on system  # (e.g., /etc/shadow, ldap, kerberos, etc.).  default use  # traditional unix authentication mechanisms.  #  # of pam 1.0.1-6, file managed pam-auth-update default.  # take advantage of this, recommended configure  # local modules either before or after default block, , use  # pam-auth-update manage selection of other modules.  see  # pam-auth-update(8) details.    # here per-package modules (the "primary" block)  auth	required                        pam_group.so use_first_pass  auth	[success=5 default=ignore]	pam_krb5.so minimum_uid=1000 try_first_pass  auth	[success=4 default=ignore]	pam_unix.so nullok_secure try_first_pass  auth	[success=3 default=ignore]	pam_ldap.so use_first_pass  auth	[success=2 default=ignore]	pam_ccreds.so minimum_uid=1000 action=validate use_first_pass  auth	[default=ignore]		pam_ccreds.so minimum_uid=1000 action=update  # here's fallback if no module succeeds  auth	requisite			pam_deny.so  # prime stack positive return value if there isn't 1 already;  # avoids returning error because nothing sets success code  # since modules above each jump around  auth	required			pam_permit.so  # , here more per-package modules (the "additional" block)  auth	optional			pam_ccreds.so minimum_uid=1000 action=store  auth	optional	pam_ecryptfs.so unwrap  auth	optional			pam_cap.so   # end of pam-auth-update config
/etc/nsswitch.conf:
code:
# /etc/nsswitch.conf  #  # example configuration of gnu name service switch functionality.  # if have `glibc-doc-reference' , `info' packages installed, try:  # `info libc "name service switch"' information file.    # pre_auth-client-config # passwd:         compat  passwd: files ldap [notfound=return] db  # pre_auth-client-config # group:          compat  group: files ldap [notfound=return] db  # pre_auth-client-config # shadow:         compat  shadow: files ldap    hosts:          files mdns4_minimal dns mdns4  networks:       files    protocols:      db files  services:       db files  ethers:         db files  rpc:            db files    # pre_auth-client-config # netgroup:       nis  netgroup: nis
/etc/nscd.conf:
code:
#  # /etc/nscd.conf  #  # example name service cache config file.  file needed nscd.  #  # legal entries are:  #  #	logfile			<file>  #	debug-level		<level>  #	threads			<initial #threads use>  #	max-threads		<maximum #threads use>  #	server-user             <user run server instead of root>  #		server-user ignored if nscd started -s parameters  #       stat-user               <user allowed request statistics>  #	reload-count		unlimited|<number>  #	paranoia		<yes|no>  #	restart-interval	<time in seconds>  #  #       enable-cache		<service> <yes|no>  #	positive-time-to-live	<service> <time in seconds>  #	negative-time-to-live   <service> <time in seconds>  #       suggested-size		<service> <prime number>  #	check-files		<service> <yes|no>  #	persistent		<service> <yes|no>  #	shared			<service> <yes|no>  #	max-db-size		<service> <number bytes>  #	auto-propagate		<service> <yes|no>  #  # supported cache names (services): passwd, group, hosts, services  #      #	logfile			/var/log/nscd.log  #	threads			4  #	max-threads		32  #	server-user		nobody  #	stat-user		somebody  	debug-level		0  #	reload-count		5  	reload-count		unlimited  	paranoia		no  #	restart-interval	3600    	enable-cache		passwd		yes  	positive-time-to-live	passwd		600  	negative-time-to-live	passwd		20  	suggested-size		passwd		211  	check-files		passwd		yes  	persistent		passwd		yes  	shared			passwd		yes  	max-db-size		passwd		33554432  	auto-propagate		passwd		yes    	enable-cache		group		yes  	positive-time-to-live	group		3600  	negative-time-to-live	group		60  	suggested-size		group		211  	check-files		group		yes  	persistent		group		yes  	shared			group		yes  	max-db-size		group		33554432  	auto-propagate		group		yes    # hosts caching broken gethostby* calls, hence disabled  # per default.  see /usr/share/doc/nscd/news.debian.  	enable-cache		hosts		no  	positive-time-to-live	hosts		3600  	negative-time-to-live	hosts		20  	suggested-size		hosts		211  	check-files		hosts		yes  	persistent		hosts		yes  	shared			hosts		yes  	max-db-size		hosts		33554432    	enable-cache		services	yes  	positive-time-to-live	services	28800  	negative-time-to-live	services	20  	suggested-size		services	211  	check-files		services	yes  	persistent		services	yes  	shared			services	yes  	max-db-size		services	33554432
i've been combing through howtos, , did see mention of using libnss-db caching in https://help.ubuntu.com/community/pamccredshowto, prefer use nscd. otherwise, i've been following howto , https://help.ubuntu.com/community/ld...authentication. i've searched around, haven't been able find much. has else gotten offline authorization working?

so sort of solved problem here, or @ least worked around it. think problem here libnss-pam module trying talk ldap server regardless of nscd having cached copy of information needed. when ldap server went down, returned failure. tried playing pam configuration, couldn't working.

ended doing switching sssd, recommend. wasn't hard going, found page , followed guide @ bottom (the "ldap/kerberos + sssd + libpam-mklocaluser" section, although don't use libpam-mklocaluser):
http://people.skolelinux.org/pere/bl...an_laptop.html

can log in machine kerberos/ldap account if authentication server down. (although still have log in once server can cache it, of course.)


Forum The Ubuntu Forum Community Ubuntu Specialised Support Ubuntu Servers, Cloud and Juju Server Platforms [SOLVED] NSCD/LDAP Offline Authorization Problems


Ubuntu

Comments

Post a Comment

Popular posts from this blog

How to set the order of FAQs instead of alphabetical

-
i have 19 faqs default showing them in alphabetical order.   i dislplay them in different order, weighting this, , how weighting work, is larger number higher priority, question id show first on list need numbered in weight field 19? hey vickituch,   as mentioned, default faq items sorted alphabetically. weighting, can modify order in faq items appear. way weighting works higher number specify, higher priority faq item have. example, if have 3 items each weight specified, priority follows:   99. faq item. 45. faq item. 7. yet faq item More discussions in Content Management and Modules adobe
Read more

Thread: Get UK Keyboard working

-
i using ubuntu desktop on lucid , keyboard changes british keys american keys, #/£, ~/| , "/@ around. in system->preferences->keyboard menu have set keyboard uk. when log via putty uk keys come out right. there other place more configuration required? /vfclistsguy actually settings should enough.. can try setxkbmap -query see current layout settings. Forum The Ubuntu Forum Community Ubuntu Official Flavours Support Desktop Environments [kubuntu] Get UK Keyboard working Ubuntu
Read more

how do I change the e-mail address for my merchant account

-
aloha   i have different primary address paypal account 1 listed merchant account in form   the different address same paypal account different e-mail address   i change responses   how do that?? hi,   you need register email address want paypal account form, current paypal email used form replaced. that, open form, go options -> collect payments. in paypal setup tab, enter new email address , click register.   please let me know if need more assistance.   thanks,   eman fu senior computer scientist adobe systems inc More discussions in Archived Spaces adobe
Read more