# ldap and nsswitch.conf and maybe PAM

## slam_head

In debugging my samba problems I've found out that it's actually a problem with the system not reading my nsswitch.conf file.  Is there a way to force a reread of the file, or is this a pam issue?

```
hand root # ls -la /etc/nsswitch.conf

-rw-r--r--  1 root root 515 Mar 25 15:16 /etc/nsswitch.conf
```

```
hand root # cat /etc/nsswitch.conf

# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      files ldap

shadow:      files ldap

group:       files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

```
hand root # getent passwd ldapuser

hand root #
```

----------

## bone

Check my thread here. I had the same issue.

https://forums.gentoo.org/viewtopic-t-311892-highlight-.html

I had to go through a ton of downgrades/upgrades to solve the issue.

jt

----------

## slam_head

I read your post but I didn't have to mask any of the packages.  You must have the ~x86 in your make.conf.  I do think it is an issue with PAM though.  Does anyone know what the appropriate setting are and which PAM files need to be adjusted?

----------

## slam_head

Here's some output from /var/log/messages that might help.

```
Mar 28 10:55:10 hand slapd[13165]: conn=12 fd=18 ACCEPT from IP=127.0.0.1:32865 (IP=127.0.0.1:389)

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=0 BIND dn="cn=samba,ou=DSA,dc=strozllc,dc=com" method=128

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=0 BIND dn="cn=samba,ou=DSA,dc=STROZLLC,dc=COM" mech=SIMPLE ssf=0

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=0 RESULT tag=97 err=0 text=

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=1 SRCH base="" scope=0 filter="(objectClass=*)"

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=1 SRCH attr=supportedControl

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=1 RESULT tag=101 err=0 text=

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=2 SRCH base="dc=strozllc,dc=com" scope=2 filter="(&(&(objectClass=sambaSamAccount)(uid=dave))(objectClass=sambaSamAccount))"

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

Mar 28 10:55:10 hand slapd[13215]: conn=12 op=3 UNBIND

Mar 28 10:55:10 hand slapd[13215]: conn=12 fd=18 closed

Mar 28 10:55:10 hand slapd[13165]: conn=13 fd=18 ACCEPT from IP=127.0.0.1:32866 (IP=127.0.0.1:389)

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=0 BIND dn="cn=samba,ou=DSA,dc=strozllc,dc=com" method=128

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=0 BIND dn="cn=samba,ou=DSA,dc=STROZLLC,dc=COM" mech=SIMPLE ssf=0

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=0 RESULT tag=97 err=0 text=

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=1 SRCH base="" scope=0 filter="(objectClass=*)"

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=1 SRCH attr=supportedControl

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=1 RESULT tag=101 err=0 text=

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=2 SRCH base="dc=strozllc,dc=com" scope=2 filter="(&(&(objectClass=sambaSamAccount)(uid=dave))(objectClass=sambaSamAccount))"

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp

Mar 28 10:55:10 hand slapd[13215]: conn=13 op=2 SEARCH RESULT tag=101 err=0 nentries=0 text=

Mar 28 10:55:10 hand slapd[13165]: conn=13 fd=18 closed

Mar 28 10:55:22 hand slapd[13165]: conn=14 fd=18 ACCEPT from IP=127.0.0.1:32867 (IP=127.0.0.1:389)

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=0 BIND dn="cn=samba,ou=DSA,dc=strozllc,dc=com" method=128

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=0 BIND dn="cn=samba,ou=DSA,dc=STROZLLC,dc=COM" mech=SIMPLE ssf=0

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=0 RESULT tag=97 err=0 text=

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=1 SRCH base="" scope=0 filter="(objectClass=*)"

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=1 SRCH attr=supportedControl

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=1 RESULT tag=101 err=0 text=

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=2 SRCH base="dc=strozllc,dc=com" scope=2 filter="(&(&(objectClass=sambaSamAccount)(uid=dsonenberg))(objectClass=sambaSamAccount))"

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=2 SRCH attr=uid uidNumber gidNumber homeDirectory sambaPwdLastSet sambaPwdCanChange sambaPwdMustChange sambaLogonTime sambaLogoffTime sambaKickoffTime cn displayName sambaHomeDrive sambaHomePath sambaLogonScript sambaProfilePath description sambaUserWorkstations sambaSID sambaPrimaryGroupSID sambaLMPassword sambaNTPassword sambaDomainName objectClass sambaAcctFlags sambaMungedDial sambaBadPasswordCount sambaBadPasswordTime sambaPasswordHistory modifyTimestamp sambaLogonHours modifyTimestamp

Mar 28 10:55:22 hand slapd[13215]: conn=14 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Mar 28 10:55:22 hand slapd[13165]: conn=15 fd=20 ACCEPT from IP=127.0.0.1:32868 (IP=127.0.0.1:389)

Mar 28 10:55:22 hand slapd[13215]: conn=15 op=0 BIND dn="cn=nssldap,ou=DSA,dc=STROZLLC,dc=COM" method=128

Mar 28 10:55:22 hand slapd[13215]: conn=15 op=0 RESULT tag=97 err=49 text=

Mar 28 10:55:22 hand slapd[13215]: conn=15 op=1 UNBIND

Mar 28 10:55:22 hand slapd[13215]: conn=15 fd=20 closed

Mar 28 10:55:22 hand slapd[13165]: conn=14 fd=18 closed

```

----------

## slam_head

Ok I think this a PAM issue.  It appears the system is not reading the nsswitch.conf.  When I run:

```
hand root # getent passwd
```

I only get the system accounts even though I have specified

```
hand root # cat /etc/nsswitch.conf

# /etc/nsswitch.conf:

# $Header: /home/cvsroot/gentoo-src/rc-scripts/etc/nsswitch.conf,v 1.4 2002/11/18 19:39:22 azarah Exp $

passwd:      files ldap

shadow:      files ldap

group:       files ldap

# passwd:    db files nis

# shadow:    db files nis

# group:     db files nis

hosts:       files dns wins

networks:    files dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files

```

Please help.  This appears to be a gentoo issue and not a Samba or LDAP.  Any ideas?

----------

## Arkanjo

I have Samba+Ldap working pretty good here.

Ok. So let's start with some questions, your /etc/nsswitch.conf it's correct no problems there.

Here is what I have installed:

```
*  net-libs/nss_ldap

      Latest version available: 226

      Latest version installed: 226

      Size of downloaded files: 207 kB

      Homepage:    http://www.padl.com/OSS/nss_ldap.html

      Description: NSS LDAP Module

      License:     LGPL-2

*  net-libs/pam_ldap

      Latest version available: 171

      Latest version installed: 171

      Size of downloaded files: 117 kB

      Homepage:    http://www.padl.com/OSS/pam_ldap.html

      Description: PAM LDAP Module

      License:     || ( GPL-2 LGPL-2 )
```

next check your /etc/ldap.conf the file is well comment, but here is the basic:

```
host 127.0.0.1

base dc=example,dc=com

rootbinddn cn=nssldap,ou=DSA,dc=example,dc=com

pam_password exop

nss_base_passwd         dc=example,dc=com?sub

nss_base_shadow         dc=example,dc=com?sub

nss_base_group           ou=Groups,dc=example,dc=com?one
```

Of course you change it to assume your directory structure on LDAP.

Dont forget to put the password of nssldap on /etc/ldap.secret like this:

```
minho root # cat /etc/ldap.secret

nssldap_password
```

That's all I can remenber, and here is the result:

 *Quote:*   

> minho root # getent passwd rnuno
> 
> rnuno:x:1000:513:LDAP User:/opt/home/rnuno:/bin/bash

 

Hope that helps, regards

----------

## slam_head

Thanks that helped.  It looked like it was the nss_base_xxx lines.  I had them set to dc=domain,dc=com?one when it should have been ?sub.  Thanks again.

----------

