Hi,

I'm managing a file server project and we've run into a problem integrating CentOS with LDAP. The issue is outlined below. Any suggestions would be greatly appreciated.

Thanks,

Bryn kanar
UCSC Library
Web Developer



I am installing smb 3.5 on a CentOS 6.2 host using smbldap-tools. I've previously installed a similar configuration on RHEL4 using smb 3.0 but CentOS now uses nss-pam-ldapd and nslcd instead of nss_ldap, so the configurations cannot be moved straight across.

When I do a listing of a share directory that should have user and group ownership determined by LDAP, I get the uidNumbers and gidNumbers rather than the UIDs and GIDs.

drwx------. 2 30634 30080 4096 Mar 18 2009 userdir1
drwx------. 33 30548 30075 4096 Jan 29 15:20 userdir2
drwx------. 3 30554 30075 4096 Jan 26 2009 userdir3
drwx------. 12 30467 30075 4096 Jun 21 2012 userdir4
drwx------. 4 30543 30075 4096 Oct 21 2008 userdir5
drwx------. 8 30555 30075 4096 Oct 31 10:36 userdir5

Other details: centos 6.2, samba 3.5, smbldap-tools 0.9.6, openldap 2.4.23

I've fussed with /etc/nsswitch.conf, /etc/pam_ldap.conf, /etc/nslcd.conf, /etc/pam.d/system-auth, and /etc/sysconfig/authconfig. And selinux is off.

I know the machine is successfully connecting to LDAP. An ldapsearch works from this machine, and I can even connect to a samba share with an ldap login through smbclient.

Relevant parts of /etc/nsswitch:

passwd: files ldap
shadow: files ldap
group: files ldap

#hosts: db files nisplus nis dns
hosts: files dns

bootparams: nisplus [NOTFOUND=return] files

ethers: files
netmasks: files
networks: files
protocols: files ldap
rpc: files
services: files ldap

netgroup: nisplus ldap
#netgroup: ldap

publickey: nisplus

automount: files nisplus ldap
#automount: files ldap
aliases: files nisplus

Relevant parts of /etc/pam_ldap.conf (everything else is commented out):

host dir1.ourdomain.com
base dc=.ourdomain,dc=com
#uri ldaps://dir1.ourdomain.com
uri ldap://dir1.ourdomain.com

# basic auth config
binddn cn=admin,dc=ourdomain,dc=com
rootbinddn cn=admin,dc=ourdomain,dc=com

# random stuff
#timelimit 120
#bind_timelimit 120
#bind_policy hard
# brought these times down wmodes Aug 11, 2008
timelimit 30
bind_timelimit 30
bind_policy soft
idle_timelimit 3600
nss_initgroups_ignoreusers root,ldap

# pam config
#pam_password md5
pam_password md5

# config for nss
nss_base_passwd ou=people,dc=ourdomain,dc=com?one
nss_base_shadow ou=people,dc=ourdomain,dc=com?one
nss_base_group ou=group,dc=ourdomain,dc=com?one

# OpenLDAP SSL mechanism
# start_tls mechanism uses the normal LDAP port, LDAPS typically 636
ssl no

# OpenLDAP SSL options
# Require and verify server certificate (yes/no)
#tls_checkpeer yes

# CA certificates for server certificate verification
tls_cacertfile /etc/openldap/cacerts/cacert.pem
tls_cacertdir /etc/openldap/cacerts

# Client certificate and key
tls_cert /etc/openldap/cacerts/servercert.pem
tls_key /etc/openldap/cacerts/serverkey.pem

Relevant parts of /etc/pam.d/system-auth:

auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so

account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so

password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
session optional pam_mkhomedir.so skel=/etc/skel umask=077

And the only line in /etc/sysconfig/authconfig I changed was:

USELDAP=yes

Any thoughts? For those who are experienced with nis and pam, I'm sure this is a no brainer, but I could sure use the little bit of your brain that knows how to fix this.