SHIFT

--- Sjoerd Hooft's InFormation Technology ---

User Tools

Site Tools


Sidebar

Recently Changed Pages:

View All Pages


View All Tags


LinkedIn




WIKI Disclaimer: As with most other things on the Internet, the content on this wiki is not supported. It was contributed by me and is published “as is”. It has worked for me, and might work for you.
Also note that any view or statement expressed anywhere on this site are strictly mine and not the opinions or views of my employer.


Pages with comments

View All Comments

suselum

SuSE LUM

This is a page with the intention to document the way to get Linux User Management (LUM) on SLES 10… however, it doesn't work… or rather, it doesn't work predictable. After a long time I finally got it working, so I left it like that, logged in the next morning and what do you think… broken… with exactly the same errors as before. So I changed the LDAP server to a different server and it started working again, but now on the server I couldn't get it to work on the day before. So I decided not to implement it but to document it and see if anyone who reads it can tell me where I went wrong.

This is the documentation I used: Novell Documentation
Cool Solution about LUM on non-OES servers

Oh, before I forget, I tried two times. One time only using the command line, the second time including the graphical configuration options.

Info about the SLES box in question:

suselum:~ # cat /etc/SuSE-release
SUSE Linux Enterprise Server 10 (i586)
VERSION = 10
PATCHLEVEL = 1
suselum:~ # uname -r
2.6.16.54-0.2.5-default

Command line try

Installation Software

I had to install novell-lum and novell-lum-providers so this is what I did:

  • Go to yast2 → Software → Add-on Product
  • Select CD and press continue when asked for the CD (after of course, putting the OES CD in)
  • Select: Yes, I Agree to the license agreement
  • By default, a lot off packages are installed, to prevent that, go to details → installation summary → right click → all in this list → do not install
  • Now, go to search, search for lum and select the two packages you need.

After the installation you'll have the required lum packages:

suselum:~ # rpm -aq | grep lum
novell-lum-providers-0.5.0-16
novell-lum-2.2.0.14-38

PAM

After the installation of the software you'll need to configure PAM (pluggable authentication modules) to make sure you use NAM as the authentication source.

Original files

These are the original PAM config files:

suselum:~ # cd /etc/pam.d/
suselum:/etc/pam.d # ls
atd    common-account   crond          gnome-screensaver  passwd   shadow  sudo           xdm
chage  common-auth      gdm            gnomesu-pam        ppp      smtp    useradd        xlock
chfn   common-password  gdm-autologin  login              rpasswd  sshd    vlock          xscreensaver
chsh   common-session   gnome-passwd   other              samba    su      vmware-guestd
suselum:/etc/pam.d # cat login
#%PAM-1.0
auth     required       pam_securetty.so
auth     include        common-auth
auth     required       pam_nologin.so
account  include        common-account
password include        common-password
session  include        common-session
session  required       pam_lastlog.so nowtmp
session  required       pam_resmgr.so
session  optional       pam_mail.so standard
suselum:/etc/pam.d # cat gdm
#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
session  required       pam_devperm.so
session  required       pam_resmgr.so
suselum:/etc/pam.d # cat sshd
#%PAM-1.0
auth     include        common-auth
auth     required       pam_nologin.so
account  include        common-account
password include        common-password
session  include        common-session
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session  optional      pam_resmgr.so fake_ttyname
suselum:/etc/pam.d # cat su
#%PAM-1.0
auth     sufficient     pam_rootok.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session
session  optional       pam_xauth.so
suselum:/etc/pam.d # cat sudo
#%PAM-1.0
auth     include        common-auth
account  include        common-account
password include        common-password
session  include        common-session

Add these lines to each file, and comment one out:

auth     required       pam_env.so
#auth     include        common-auth
auth     sufficient     pam_nam.so
auth     required       pam_unix2.so
account  sufficient     pam_nam.so
password sufficient     pam_nam.so
session  optional       pam_nam.so

NAM files

suselum:/etc/pam.d # cat login
#%PAM-1.0
auth     required       pam_securetty.so
auth     required       pam_env.so
#auth    include        common-auth
auth     required       pam_nologin.so
auth     sufficient     pam_nam.so
auth     required       pam_unix2.so
account  include        common-account
account  sufficient     pam_nam.so
password include        common-password
password sufficient     pam_nam.so
session  include        common-session
session  required       pam_lastlog.so nowtmp
session  required       pam_resmgr.so
session  optional       pam_mail.so standard
session  optional       pam_nam.so
suselum:/etc/pam.d # cat gdm
#%PAM-1.0
#auth     include        common-auth
auth     required       pam_env.so
auth     sufficient     pam_nam.so
auth     required       pam_unix2.so
account  include        common-account
account  sufficient     pam_nam.so
password include        common-password
password sufficient     pam_nam.so
session  include        common-session
session  required       pam_devperm.so
session  required       pam_resmgr.so
session  optional       pam_nam.so
suselum:/etc/pam.d # cat sshd
#%PAM-1.0
#auth     include        common-auth
auth     required       pam_env.so
auth     required       pam_nologin.so
auth     sufficient     pam_nam.so
auth     required       pam_unix2.so
account  include        common-account
account  sufficient     pam_nam.so
password include        common-password
password sufficient     pam_nam.so
session  include        common-session
session  optional       pam_nam.so
# Enable the following line to get resmgr support for
# ssh sessions (see /usr/share/doc/packages/resmgr/README)
#session  optional      pam_resmgr.so fake_ttyname
suselum:/etc/pam.d # cat su
#%PAM-1.0
auth     sufficient     pam_rootok.so
#auth     include        common-auth
auth     required       pam_env.so
auth     sufficient     pam_nam.so
auth     required       pam_unix2.so
account  include        common-account
account  sufficient     pam_nam.so
password include        common-password
password sufficient     pam_nam.so
session  include        common-session
session  optional       pam_xauth.so
session  optional       pam_nam.so
suselum:/etc/pam.d # cat sudo
#%PAM-1.0
auth     required       pam_env.so
#auth     include        common-auth
auth     sufficient     pam_nam.so
auth     required       pam_unix2.so
account  include        common-account
account  sufficient     pam_nam.so
password include        common-password
password sufficient     pam_nam.so
session  include        common-session
session  optional       pam_nam.so

NSSWITCH

You also have to tell the nsswitch file you're going to use NAM:

/etc/nsswitch.conf:

Original:

passwd: compat
group:  compat

New:

passwd: compat nam
group:  compat nam

Configure NAM

When I first tried to setup NAM I decided that one of the NetWare servers should be the authentication source. This did not work, so I changed it to one of the OES servers we have and it worked, using this command:

suselum:/etc # namconfig add -a cn=admin,o=SHIFT -r o=SHIFT -w ou=NAM,o=SHIFT -S OESSERVER:389 -l 636
Enter the admin(cn=admin,o=SHIFT) password:

namconfig.getSchemaName: schema name = cn=schema
NAM Schema is extended successfully.
NAM Unique id schema is already extended.
uidNumber and gidNumber attribute indices already exist in the LDAP server
Creating the Unix Config object... already exists
Creating the Unix Workstation object...done.
Adding the workstation context...done.
Stopping the service 'nscd'...done.
Starting the service 'namcd'... Done.
Starting the service 'nscd'... Done.
Configure done successfully.

You now have a new object in the tree: suselum01.jpg

Just for the record, when trying to use the NetWare server I got this error:

namconfig.getSchemaName: schema name = cn=schema
Error in extending the nam(rfc2307) schema:16
uidNumber and gidNumber attribute indices already exist in the LDAP server
Error:No such attribute

The solution, as said before, just use an OES linux server as the authentication source.

iManager

Now you have to assign a Linux enabled group to the workstation you have in eDirectory. To do so, log into iManager and select the created workstation object: suselum02.jpg When selected, add a group to the workstation: suselum03.jpg

NAM service

So it should all be configured correctly now, the only thing left to do is to restart the nam service:

suselum:/etc # rcnamcd restart
Stopping NAM Cache Daemon ...
Please Wait. Flushing cache to the file
......                                                                done
Starting NAM Cache Daemon ...
Waiting for namcd initialization to complete ...
.
                                                                      done
suselum:/etc #

It could be you receive certificate errors, in that case issue this command:

suselum:~ # namconfig -k
Enter the admin(cn=admin,o=SHIFT) password:

namconfig.getSchemaName: schema name = cn=schema
Certicate file updated sucessfully

So everything is configured now, I can see the servers LDAPping to each other, but I mostly get these errors:

In LDAP:

EmuVerifyPassword returned error OS error of some sort (-255)
NMAS error -1642
  Indicates that the secret (for example password) presented by the user is invalid. -> which it is not

In syslog:

finduserwithoutuidandgid: return code from the search: [49]
User unknown to the authentication module
nds_authenticate():ldap_compare failed with crypted password
User not known to underlying authentication module for illegal user

The syslog messages got me thinking, does the server even know the users? It turned it did not, issuing the command

id sjoerd

returned “Unknown User”. Which made me restart the normal name cache daemon:

/etc/init.d/nscd stop
/etc/init.d/nscd start

Which made it working one time, and then, as stated above, it stopped working the next morning.

Remove LUM Configuration

All this did gave me the opportunity to test the removal of LUN:

suselum:~ # namconfig rm -a cn=admin,o=SHIFT
Enter the admin(cn=admin,o=SHIFT) password:

namconfig.getSchemaName: schema name = cn=schema
Deleting the Unix Workstation object...done.
Stopping the service 'namcd'...done.
Stopping the service 'nscd'...done.
Starting the service 'nscd'... Done.
Deconfigure done successfully.

This was succesful. The configuration file /etc/nam.conf was gone, the service stopped, so everything was ready for test 2.

Remove LUM Installation

When the graphical try failed as well I completely removed LUM:

suselum:~ # rpm -e novell-lum-2.2.0.14-38
suselum:~ # rpm -e novell-lum-providers-0.5.0-16
suselum:~ # rpm -e yast2-novell-lum-2.13.2-53

When you've removed the packages don't forget to restore the pam files to the original state, and after that you can restart the server. If you forget to clean up the pam files you'll get errors like this:

Mar 15 15:54:51 suselum sshd[3196]: PAM unable to dlopen(/lib/security/pam_nam.so)
Mar 15 15:54:51 suselum sshd[3196]: PAM [error: /lib/security/pam_nam.so: cannot open shared object file: No such file or directory]
Mar 15 15:54:51 suselum sshd[3196]: PAM adding faulty module: /lib/security/pam_nam.so

Graphical try

For the graphical try I used a different approach. I used the SLED CD to install the extra resources, because now I also needed: yast-novell-lum. For that I also needed some extra installation resources so I also added the SLES 10 SP2 installation source. I ended up with installing this list of software: suselum04.jpg

Then the documentation told me to go into yast2 → security and users → linux user management, however, this did not exist. After searching the internet for a while (Google is my bitch!) I found out that the modules are there, they're just hidden. So this are the commands you need to configure the modules:

yast2 oes-ldap
yast2 novell-lum

This is the configuration I used for the OES LDAP servers: suselum05.jpg And this is the configuration I used for the LUM configuration: suselum06.jpg

After this I checked the PAM files, and assigned a linux enabled group to the created workstation object. It all just didn't work.

Request

As mentioned before, I did got it to work. Just switching servers, refreshing certificates, restarting services and rebooting got it working… for a few hours. The next morning I had to switch to a server that wouldn't work before. Also, on the internet I found so much other people with the same or other problems, just as I had a OES server with a broken LUM configuration a couple of months ago. That led to a reinstallation of the server, which led to this article. My conclusion is… I don't want it anymore, and this is the first time since I started to work seriously that I couldn't fix it, which is a personal failure to me. I would really appreciate it if somebody else knows what I did wrong. Also, I decided to just use LDAP as an authentication source, which was pretty successful. Now an additional question, does anyone know why I shouldn't? Why would LUM be better than LDAP. Please let me know!

You could leave a comment if you were logged in.
suselum.txt · Last modified: 2021/09/24 00:25 (external edit)