[ILUG] Single Sign On and Active Directory

Mark Kilmartin mrk at europe.renre.com
Mon Aug 16 12:01:15 IST 2004 

On Mon, 2004-08-16 at 11:30, David Dorgan wrote:
> > At login we get the following message.
> > "Authentication service cannot retrieve authentication info"
> > 
> 
> First off, add 
> 
> shadow:	compat ldap
OK added

> Is nss_ldap setup for nss_base_shadow?
Yes

> If you ever have a probelm with PAM, basically
> put debug every all of those entries. pam_unix.so debug etc..
Added debug to all of them and not seeing any more logging.

> Also add:
> 
> account     optional      pam_krb5.so debug
> and
> password    sufficient    pam_krb5.so debug
> and
> session     optional      pam_krb5.so debug
Added these.

Still after all of this shadow is not being retrieved from the DC

Also I check that I was running nscd, and I am but I have tried this
configuration without nscd last week and got the same problem.

Note I don't actually need shadow I just need for login to work, if I
could get nss_ldap to replace the password field of passwd with "*K*" to
indicate that I'm using kerberos then everything would be happy (I
think)



MArk


> After this, I would suggest you strace -p
> it in action, you'll see the pid in syslog,
> if you have the debug options on. Also,
> if you did want it for wait for a bit, so you
> could look and see what it was doing,
> plug out the network (but don't bring down the
> card) so it'll spend lots of time doing
> networking things.
> 
> Also, if you are unsure of what is being checked
> you could run ethereal and see what is being
> checked remotely.
> 
> There are some good resources on the subject in general:
> 
> http://www.ofb.net/~jheiss/krbldap/howto.html
> http://www.metaconsultancy.com/whitepapers/ldap-linux.htm
> http://kirby.hpcmp.hpc.mil/docs/krb-faq.html
> http://www.padl.com/~lukeh/rfc2307bis.txt
> http://www.mandrakesecure.net/en/docs/ldap-auth.php
> 
> David
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.linux.ie/pipermail/ilug/attachments/20040816/4e2edc09/attachment.pgp

More information about the ILUG mailing list