Hey everyone,
Try to bear with me, this is an odd/complex issue. If this isnt the correct area for this post, please move it
Upgraded my workstation here @ the office to 11.0 from 10.3. I authenticate against Active Directory, and that was working just dandy before the upgrade. I ended up doing a clean re-install. Some strange issues are afoot utilizing the same packages and configuration as before.
FYI, I disabled the firewall just incase that was causing issues. I also disabled nscd to see if it was the culprit, no dice.
I’m able to get a kerberos ticket just fine, but nss_ldap appears to be having issues. I’m able to getent passwd just fine, and it lists all ldap users.
dolemite:/export/home # getent passwd |grep ashinn
ashinn:*:10020:3000:Andrew Shinn:/home/ashinn:/bin/bash
Filesystem even appears to know the UID/GID correctly! IE:
dolemite:/export/home # ls -la
total 4
drwxr-xr-x 3 root root 19 Jun 19 16:45 .
drwxr-xr-x 3 root root 17 Jun 19 16:45 ..
drwx------ 40 ashinn UnixAdmins_GG 4096 Jun 19 16:45 ashinn
What’s not working is nss authentication, or utils like id. Here is a snip from strace of me trying to use id:
stat64("/etc/ldap.conf", {st_mode=S_IFREG|0600, st_size=669, ...}) = 0
geteuid32() = 0
getsockname(3, {sa_family=AF_INET, sin_port=htons(29262), sin_addr=inet_addr("10.6.66.118")}, [16]) = 0
getpeername(3, {sa_family=AF_INET, sin_port=htons(389), sin_addr=inet_addr("10.10.10.1")}, [16]) = 0
poll(
And it just hangs there forever… that IP is correct for the domain controller.
My /var/log/messages shows these-
un 19 17:09:25 dolemite id: nss_ldap: reconnected to LDAP server ldap://removed after 1 attempt
Jun 19 17:18:12 dolemite id: nss_ldap: reconnected to LDAP server ldap://removed after 1 attempt
Here are my configuration files, with edits for obvious reasons:
**ldap.conf:**
base ou=prod,dc=cd,dc=ent,dc=corp
uri removed
binddn removed
bindpw removed
scope sub
ssl no
bind_policy soft
pam_filter objectClass=User
nss_base_passwd OU=Standard,OU=Accounts,OU=PROD,DC=cd,DC=ent,DC=corp?sub
nss_base_shadow OU=Standard,OU=Accounts,OU=PROD,DC=cd,DC=ent,DC=corp?sub
nss_base_group OU=Security,OU=Groups,OU=PROD,DC=cd,DC=ent,DC=corp?sub
nss_map_objectclass posixAccount user
nss_map_objectclass shadowAccount user
nss_map_objectclass posixGroup group
nss_map_attribute gecos cn
nss_map_attribute homeDirectory unixHomeDirectory
nss_map_attribute uniqueMember member
**common-auth:**
auth required pam_env.so
auth sufficient pam_unix2.so
auth sufficient pam_krb5.so
auth required pam_deny.so
**nsswitch.conf:**
passwd: files ldap
group: files ldap
hosts: files dns
networks: files dns
services: files
protocols: files
rpc: files
ethers: files
netmasks: files
netgroup: files
publickey: files
bootparams: files
automount: files
aliases: files
Any help or advice is appreciated! This is a total show stopper for me, I have to revert back to 10.3 if this isnt something “simple”.
Means I can’t upgrade any of our boxes to 11.0 either