More LDAP struggles

by CS SysAdmins Posted on September 4, 2012
Print Friendly, PDF & Email

I’m again trying to get LDAP to work, instead of having to copy around flat files.  Today I used

authconfig –savebackup=name

which writes out a directory in /var/lib/authconfig/name of all the files involved with authentication.  I did that on both Sampras (F14 client that successfully uses LDAP) and thrush (CentOS client that doesn’t successfully use LDAP).  When I discovered today that Sampras has an /etc/nss_ldap.conf file that Thrush lacks, I felt like I was onto something.

I found this post: https://www.centos.org/modules/newbb/viewtopic.php?topic_id=32402 it mentioned that there have been some renaming of files even in different versions of CentOS.  *sigh*. I did

[root@sampras] rpm -qf /etc/nss_ldap.conf 
nss_ldap-265-6.fc14.i686

but no such package exists for CentOS.  Much discouragement.  However, that site mentioned files such as /etc/pam_ldap.conf, which Thrush also lacks.  So I did

[root@thrush ~] yum whatprovides /etc/pam_ldap.conf
Loaded plugins: fastestmirror, refresh-packagekit, security
Loading mirror speeds from cached hostfile
pam_ldap-185-11.el6.i686 : PAM module for LDAP
Repo        : base
Matched from:
Filename    : /etc/pam_ldap.conf

[root@thrush ~] rpm -q pam_ldap
package pam_ldap is not installed
[root@thrush ~] yum -y install pam_ldap
Running Transaction
Warning: RPMDB altered outside of yum.
  Installing : pam_ldap-185-11.el6.i686                                                                           1/1 
  Verifying  : pam_ldap-185-11.el6.i686                                                                           1/1 

Installed:
  pam_ldap.i686 0:185-11.el6                                                                                          

Complete!
[root@thrush ~]

Okay, that’s interesting.  The guy in the post said he just made his /etc/pam_ldap.conf file be a symlink to /etc/openldap/ldap.conf, so I’ll try that:

root@thrush etc] mv pam_ldap.conf pam_ldap.conf.orig
[root@thrush etc] ln -s /etc/openldap/ldap.conf pam_ldap.conf
[root@thrush etc] ls -l pam_ldap.conf
lrwxrwxrwx 1 root root 23 Sep  3 21:51 pam_ldap.conf -> /etc/openldap/ldap.conf
[root@thrush etc]

Okay, let’s try undoing the account files and rebooting (‘cuz I don’t know what services need to be restarted for ldap/pam/etc):

[root@thrush etc] /usr/network/fixes/account-files-undo
[root@thrush etc] w
 21:54:55 up 4 days, 12:12,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
root     pts/2    tempest.wellesle 21:45    0.00s  0.03s  0.00s w
[root@thrush etc] reboot
Broadcast message from root@thrush.wellesley.edu
    (/dev/pts/2) at 21:55 ...

The system is going down for reboot NOW!
[root@thrush etc] Connection to thrush closed by remote host.
Connection to thrush closed.
[root@tempest tmp]#

Okay, let’s try:

[root@tempest tmp]# ssh thrush
Last login: Mon Sep  3 21:45:41 2012 from tempest.wellesley.edu
[root@thrush ~] getent passwd anderson
anderson:*:716:501:Scott D. Anderson,E114:/home/anderson:/bin/bash
[root@thrush ~] logout
Connection to thrush closed.
[root@tempest tmp]# ssh anderson@thrush
anderson@thrush's password: 
Permission denied, please try again.
anderson@thrush's password: 
Permission denied, please try again.
anderson@thrush's password:

Nope.  Still no luck.

root@thrush ~] authconfig --savebackup=thrush2
[root@thrush ~] diff -qr /var/lib/authconfig/backup-thrush2 /usr/network/tmp/backup-sampras/
Files /var/lib/authconfig/backup-thrush2/authconfig and /usr/network/tmp/backup-sampras/authconfig differ
Files /var/lib/authconfig/backup-thrush2/fingerprint-auth-ac and /usr/network/tmp/backup-sampras/fingerprint-auth-ac differ
Files /var/lib/authconfig/backup-thrush2/login.defs and /usr/network/tmp/backup-sampras/login.defs differ
Files /var/lib/authconfig/backup-thrush2/network and /usr/network/tmp/backup-sampras/network differ
Only in /usr/network/tmp/backup-sampras/: nss_ldap.conf
Files /var/lib/authconfig/backup-thrush2/nsswitch.conf and /usr/network/tmp/backup-sampras/nsswitch.conf differ
Files /var/lib/authconfig/backup-thrush2/openldap.conf and /usr/network/tmp/backup-sampras/openldap.conf differ
Files /var/lib/authconfig/backup-thrush2/pam_ldap.conf and /usr/network/tmp/backup-sampras/pam_ldap.conf differ
Only in /usr/network/tmp/backup-sampras/: pam_pkcs11.conf
Files /var/lib/authconfig/backup-thrush2/password-auth-ac and /usr/network/tmp/backup-sampras/password-auth-ac differ
Files /var/lib/authconfig/backup-thrush2/smartcard-auth-ac and /usr/network/tmp/backup-sampras/smartcard-auth-ac differ
Files /var/lib/authconfig/backup-thrush2/smb.conf and /usr/network/tmp/backup-sampras/smb.conf differ
Files /var/lib/authconfig/backup-thrush2/system-auth-ac and /usr/network/tmp/backup-sampras/system-auth-ac differ
[root@thrush ~]

Okay, I’ve looked at all these differences and haven’t seen anything that seem significant.  One possibility is that password-auth-ac has pam_ldap.so on sampras, while thrush has pam_sss.so.  But I thought that CentOS is using sssd instead of ldap.  Heck, it’s worth a try.

[root@thrush pam.d] cd /etc/pam.d
[root@thrush pam.d] cp password-auth-ac password-auth-ac.orig
[root@thrush pam.d] cp /usr/network/tmp/backup-sampras/password-auth-ac .
cp: overwrite `./password-auth-ac'? y
[root@thrush pam.d] diff password-auth-ac password-auth-ac.orig 
7c7
< auth        sufficient    pam_ldap.so use_first_pass
---
> auth        sufficient    pam_sss.so use_first_pass
13c13
< account     [default=bad success=ok user_unknown=ignore] pam_ldap.so
---
> account     [default=bad success=ok user_unknown=ignore] pam_sss.so
18c18
< password    sufficient    pam_ldap.so use_authtok
---
> password    sufficient    pam_sss.so use_authtok
23d22
< -session     optional      pam_systemd.so
26c25
< session     optional      pam_ldap.so
---
> session     optional      pam_sss.so
[root@thrush pam.d]

Here go ‘nuthin.  I rebooted and:

[root@thrush ~] getent passwd anderson
anderson:*:716:501:Scott D. Anderson,E114:/home/anderson:/bin/bash
[root@thrush ~] logout
Connection to thrush closed.
[root@tempest tmp]# ssh anderson@thrush
anderson@thrush's password: 
Last login: Tue Aug 28 16:17:10 2012 from localhost
[anderson@thrush ~] grep anderson /etc/passwd
[anderson@thrush ~]

Holy moly!  It *worked*!

Okay, now I’m trying to replicate that on Robin.  I saved the authconfig to /usr/network/scripts/authconfig-CentOS-client/  and wrote /usr/network/scripts/authconfig-CentOS.sh

On Robin, I ran

/usr/network/fixes/account-files-undo
/usr/network/scripts/authconfig-CentOS.sh
reboot

That didn’t work. Turns out sssd wasn’t running.  So, start that.  Nope.  Oh, it complains that the perms on /etc/sssd/sssd.conf aren’t right.  Need to be 660.  Compared the /etc/pam.d/password-auth-ac files; made sure they were the same. Nope.  In fact, I can find no differences in the authconfig files.

Compared the list of rpms. There are a lot of differences!  How does this happen?  Noticed that Thrush (working) had pam_ldap installed but Robin (not working) doesn’t.  That’s interesting!

Ah ha!  That’s it!  I can now run

ssh bird "/usr/network/fixes/account-files-undo ; /usr/network/scripts/authconfig-CentOS.sh yes"

I didn’t want to use all-centos-hosts because I wanted to keep thrush working, just in case.

 

About CS SysAdmins

The CS Department System Administrators
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *