From Newsgroup: muc.lists.freebsd.ports
--Sig_/n4asmETSlKpbjZ7eBDi4Q5C
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Hello,
fighting a major problem here. Running recent CURRENT and 15-STABLE here. R= ecently we switched
from=20
net/nss-pam-ldapd
to
security/sssd2 (with net/samba423).
I've
used
https://wiki.freebsd.org/KubilayKocak/SystemSecurityServicesDaemon as =
a basis for further steps.
User backend is=20
net/openldap26-server
using ppolicy Overlay. For the record: the LDAP DIT has been migrated from = 2.4 to 2.6 a couple
of years ago (successfuly).
Adjusting FreeBSD's PAM config for "other", "system", "sshd" worked well fo=
r sshd and
system/login so far (see below for more info). When login via sshd for LDAP=
backed users,
everything runs smooth (no dubios messages about expired passwords or simil= ar). Local (console)
login for those users also works as expected without further icident or rep= ort of expired
passwords.
When it comes to X11/xdm on local machines using GUI/X11/xdm, login fails f=
or LDAP backed
users.=20
FreeBSD's /var/log/auth.log reports:
Mar 22 14:17:41 <10.5> myhost xdm[7440]: LOGIN FAILURE ON :0, username
The LDAP objects (users) do not have shadowAccount objectclass, not attribu= tes (I deleted
those, with or without it doesn't change anything)
It drives me nuts, spent two days figuring out what's going to be missed by=
xdm, but I
couldn't find anything suitable. Maybe someone has already solved a similar=
problem ...
/etc/nsswitch.conf has been adapted approprietely, i.e.
[...]
passwd: files sss ldap
(I'm using a hybrid solution for now to serve xdm with the old nslcd)
In the config shown below with module account the term "optional|sufficient=
" means: I use
either or - only one - not both.
[... /etc/pam.d/xdm ...]
#
#
# PAM configuration for the "xdm" service
#
# auth
#auth sufficient pam_krb5.so no_warn try_first_p= ass
#auth sufficient pam_ssh.so no_warn try_first_p= ass
#auth sufficient pam_ssh.so no_warn try_first_p= ass
#auth sufficient /usr/local/lib/pam_ldap.so
auth sufficient /usr/local/lib/pam_sss.so forward_pass auth required pam_unix.so no_warn try_first_p= ass
# account
account required pam_nologin.so
#account required pam_krb5.so
#account optional /usr/local/lib/pam_ldap.so
account optional|sufficient /usr/local/lib/pam_sss.so \
ignore_authinfo_unavail ignore_unknown_user=20
account required pam_unix.so
# session
#session required pam_ssh.so want_agent
session required pam_lastlog.so no_fail
session required pam_xdg.so
# password
password required pam_deny.so
--=20
A FreeBSD user
--Sig_/n4asmETSlKpbjZ7eBDi4Q5C
Content-Type: application/pgp-signature
Content-Description: OpenPGP digital signature
-----BEGIN PGP SIGNATURE-----
iHUEARYKAB0WIQRQheDybVktG5eW/1Kxzvs8OqokrwUCacAIUAAKCRCxzvs8Oqok r2KBAP4l23kDiUaAJb5IS+XzXNje7Y/Na0XA5lqa+lcGKzf+MAEAh6jqwMLD7gC5 b8AYXx52B5i/qHG4xiucQFdab61q3gY=
=WAuw
-----END PGP SIGNATURE-----
--Sig_/n4asmETSlKpbjZ7eBDi4Q5C--
--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to
news-admin@muc.de
--- Synchronet 3.21f-Linux NewsLink 1.2