Ok a quick overview of what we are doing and the problem.
Firstly changing Active Directory is not an option (unfortunately)
We are setting up single sign on here for a mixed Linux windows network.
First we set up Kerberos for the authentication and it is working
perfectly against AD.
Secondly we installed the needed Schema changes to support Linux boxes
using AD4Unix, this seems to be working fine and we can add the extra
information for our Linux boxes, e.g. uid, gid, home directory. etc.
Next we set up LDAP on the Linux boxes, this is working to the extent
that we can use ldapsearch to retrieve information from the AD.
Next we install nss_ldap to allow nss to retrieve information from AD.
Our nssswitch contains the following.
passwd: compat ldap
group: compat ldap
now using getent passwd we see users that are in AD
getent group also returns AD groups.
So everything is looking good so we remove users from /etc/passwd and
/etc/group that also exist in AD.
At this point logins stop working for users that are only in AD.
At login we get the following message.
"Authentication service cannot retrieve authentication info"
I have tracked the problem down to the fact that users that are in AD
don't have an entry in the shadow file.
I tried add "shadow: compat ldap" to the nssswitch file but this does
not make any difference.
Relevant parts from the /etc/pam.d/login file are.
auth sufficient pam_krb5.so
auth sufficient pam_unix.so use_first_pass nullok
account required pam_unix.so
session required pam_unix.so
Between the two of us here we have done a lot of RTFM and lots of
googling and most things we have seen indicate our setup should be
Obviously adding every user into the shadow file is not an option.
One thing I did come across in my searching is if the password field in
the passwd file is listed as "*K*" (Which apparently indicates you will
be using kerberos) instead of "x" as it is to indicate there is a shadow
entry, and as the nss_ldap module returns it then login works without
having a shadow entry.
In summary I think I need one of two things.
1) Get nss_ldap to give me shadow entries.
or 2) Get nss_ldap to report the password field of passwd as "*K*"
Sorry for such a long mail.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://mail.linux.ie/pipermail/ilug/attachments/20040816/8a6503c2/attachment.pgp
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!