[[SuSE LUM]]
Table of Contents
SuSE LUM
This is a page with the intention to document the way to get Linux User Management (LUM) on SLES 10… however, it doesn't work… or rather, it doesn't work predictable. After a long time I finally got it working, so I left it like that, logged in the next morning and what do you think… broken… with exactly the same errors as before. So I changed the LDAP server to a different server and it started working again, but now on the server I couldn't get it to work on the day before. So I decided not to implement it but to document it and see if anyone who reads it can tell me where I went wrong.
This is the documentation I used:
Novell Documentation
Cool Solution about LUM on non-OES servers
Oh, before I forget, I tried two times. One time only using the command line, the second time including the graphical configuration options.
Info about the SLES box in question:
suselum:~ # cat /etc/SuSE-release SUSE Linux Enterprise Server 10 (i586) VERSION = 10 PATCHLEVEL = 1 suselum:~ # uname -r 2.6.16.54-0.2.5-default
Command line try
Installation Software
I had to install novell-lum and novell-lum-providers so this is what I did:
- Go to yast2 → Software → Add-on Product
- Select CD and press continue when asked for the CD (after of course, putting the OES CD in)
- Select: Yes, I Agree to the license agreement
- By default, a lot off packages are installed, to prevent that, go to details → installation summary → right click → all in this list → do not install
- Now, go to search, search for lum and select the two packages you need.
After the installation you'll have the required lum packages:
suselum:~ # rpm -aq | grep lum novell-lum-providers-0.5.0-16 novell-lum-2.2.0.14-38
PAM
After the installation of the software you'll need to configure PAM (pluggable authentication modules) to make sure you use NAM as the authentication source.
Original files
These are the original PAM config files:
suselum:~ # cd /etc/pam.d/ suselum:/etc/pam.d # ls atd common-account crond gnome-screensaver passwd shadow sudo xdm chage common-auth gdm gnomesu-pam ppp smtp useradd xlock chfn common-password gdm-autologin login rpasswd sshd vlock xscreensaver chsh common-session gnome-passwd other samba su vmware-guestd suselum:/etc/pam.d # cat login #%PAM-1.0 auth required pam_securetty.so auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard suselum:/etc/pam.d # cat gdm #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session session required pam_devperm.so session required pam_resmgr.so suselum:/etc/pam.d # cat sshd #%PAM-1.0 auth include common-auth auth required pam_nologin.so account include common-account password include common-password session include common-session # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname suselum:/etc/pam.d # cat su #%PAM-1.0 auth sufficient pam_rootok.so auth include common-auth account include common-account password include common-password session include common-session session optional pam_xauth.so suselum:/etc/pam.d # cat sudo #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session
Add these lines to each file, and comment one out:
auth required pam_env.so #auth include common-auth auth sufficient pam_nam.so auth required pam_unix2.so account sufficient pam_nam.so password sufficient pam_nam.so session optional pam_nam.so
NAM files
suselum:/etc/pam.d # cat login #%PAM-1.0 auth required pam_securetty.so auth required pam_env.so #auth include common-auth auth required pam_nologin.so auth sufficient pam_nam.so auth required pam_unix2.so account include common-account account sufficient pam_nam.so password include common-password password sufficient pam_nam.so session include common-session session required pam_lastlog.so nowtmp session required pam_resmgr.so session optional pam_mail.so standard session optional pam_nam.so suselum:/etc/pam.d # cat gdm #%PAM-1.0 #auth include common-auth auth required pam_env.so auth sufficient pam_nam.so auth required pam_unix2.so account include common-account account sufficient pam_nam.so password include common-password password sufficient pam_nam.so session include common-session session required pam_devperm.so session required pam_resmgr.so session optional pam_nam.so suselum:/etc/pam.d # cat sshd #%PAM-1.0 #auth include common-auth auth required pam_env.so auth required pam_nologin.so auth sufficient pam_nam.so auth required pam_unix2.so account include common-account account sufficient pam_nam.so password include common-password password sufficient pam_nam.so session include common-session session optional pam_nam.so # Enable the following line to get resmgr support for # ssh sessions (see /usr/share/doc/packages/resmgr/README) #session optional pam_resmgr.so fake_ttyname suselum:/etc/pam.d # cat su #%PAM-1.0 auth sufficient pam_rootok.so #auth include common-auth auth required pam_env.so auth sufficient pam_nam.so auth required pam_unix2.so account include common-account account sufficient pam_nam.so password include common-password password sufficient pam_nam.so session include common-session session optional pam_xauth.so session optional pam_nam.so suselum:/etc/pam.d # cat sudo #%PAM-1.0 auth required pam_env.so #auth include common-auth auth sufficient pam_nam.so auth required pam_unix2.so account include common-account account sufficient pam_nam.so password include common-password password sufficient pam_nam.so session include common-session session optional pam_nam.so
NSSWITCH
You also have to tell the nsswitch file you're going to use NAM:
/etc/nsswitch.conf:
Original:
passwd: compat group: compat
New:
passwd: compat nam group: compat nam
Configure NAM
When I first tried to setup NAM I decided that one of the NetWare servers should be the authentication source. This did not work, so I changed it to one of the OES servers we have and it worked, using this command:
suselum:/etc # namconfig add -a cn=admin,o=SHIFT -r o=SHIFT -w ou=NAM,o=SHIFT -S OESSERVER:389 -l 636 Enter the admin(cn=admin,o=SHIFT) password: namconfig.getSchemaName: schema name = cn=schema NAM Schema is extended successfully. NAM Unique id schema is already extended. uidNumber and gidNumber attribute indices already exist in the LDAP server Creating the Unix Config object... already exists Creating the Unix Workstation object...done. Adding the workstation context...done. Stopping the service 'nscd'...done. Starting the service 'namcd'... Done. Starting the service 'nscd'... Done. Configure done successfully.
You now have a new object in the tree:
Just for the record, when trying to use the NetWare server I got this error:
namconfig.getSchemaName: schema name = cn=schema Error in extending the nam(rfc2307) schema:16 uidNumber and gidNumber attribute indices already exist in the LDAP server Error:No such attribute
The solution, as said before, just use an OES linux server as the authentication source.
iManager
Now you have to assign a Linux enabled group to the workstation you have in eDirectory. To do so, log into iManager and select the created workstation object:
When selected, add a group to the workstation:
When selected, add a group to the workstation:
NAM service
So it should all be configured correctly now, the only thing left to do is to restart the nam service:
suselum:/etc # rcnamcd restart
Stopping NAM Cache Daemon ...
Please Wait. Flushing cache to the file
...... done
Starting NAM Cache Daemon ...
Waiting for namcd initialization to complete ...
.
done
suselum:/etc #
It could be you receive certificate errors, in that case issue this command:
suselum:~ # namconfig -k Enter the admin(cn=admin,o=SHIFT) password: namconfig.getSchemaName: schema name = cn=schema Certicate file updated sucessfully
So everything is configured now, I can see the servers LDAPping to each other, but I mostly get these errors:
In LDAP:
EmuVerifyPassword returned error OS error of some sort (-255) NMAS error -1642 Indicates that the secret (for example password) presented by the user is invalid. -> which it is not
In syslog:
finduserwithoutuidandgid: return code from the search: [49] User unknown to the authentication module nds_authenticate():ldap_compare failed with crypted password User not known to underlying authentication module for illegal user
The syslog messages got me thinking, does the server even know the users? It turned it did not, issuing the command
id sjoerd
returned “Unknown User”.
Which made me restart the normal name cache daemon:
/etc/init.d/nscd stop /etc/init.d/nscd start
Which made it working one time, and then, as stated above, it stopped working the next morning.
Remove LUM Configuration
All this did gave me the opportunity to test the removal of LUN:
suselum:~ # namconfig rm -a cn=admin,o=SHIFT Enter the admin(cn=admin,o=SHIFT) password: namconfig.getSchemaName: schema name = cn=schema Deleting the Unix Workstation object...done. Stopping the service 'namcd'...done. Stopping the service 'nscd'...done. Starting the service 'nscd'... Done. Deconfigure done successfully.
This was succesful. The configuration file /etc/nam.conf was gone, the service stopped, so everything was ready for test 2.
Remove LUM Installation
When the graphical try failed as well I completely removed LUM:
suselum:~ # rpm -e novell-lum-2.2.0.14-38 suselum:~ # rpm -e novell-lum-providers-0.5.0-16 suselum:~ # rpm -e yast2-novell-lum-2.13.2-53
When you've removed the packages don't forget to restore the pam files to the original state, and after that you can restart the server. If you forget to clean up the pam files you'll get errors like this:
Mar 15 15:54:51 suselum sshd[3196]: PAM unable to dlopen(/lib/security/pam_nam.so) Mar 15 15:54:51 suselum sshd[3196]: PAM [error: /lib/security/pam_nam.so: cannot open shared object file: No such file or directory] Mar 15 15:54:51 suselum sshd[3196]: PAM adding faulty module: /lib/security/pam_nam.so
Graphical try
For the graphical try I used a different approach. I used the SLED CD to install the extra resources, because now I also needed: yast-novell-lum. For that I also needed some extra installation resources so I also added the SLES 10 SP2 installation source. I ended up with installing this list of software:
Then the documentation told me to go into yast2 → security and users → linux user management, however, this did not exist. After searching the internet for a while (Google is my bitch!) I found out that the modules are there, they're just hidden. So this are the commands you need to configure the modules:
yast2 oes-ldap yast2 novell-lum
This is the configuration I used for the OES LDAP servers:
And this is the configuration I used for the LUM configuration:
After this I checked the PAM files, and assigned a linux enabled group to the created workstation object. It all just didn't work.
Request
As mentioned before, I did got it to work. Just switching servers, refreshing certificates, restarting services and rebooting got it working… for a few hours. The next morning I had to switch to a server that wouldn't work before. Also, on the internet I found so much other people with the same or other problems, just as I had a OES server with a broken LUM configuration a couple of months ago. That led to a reinstallation of the server, which led to this article. My conclusion is… I don't want it anymore, and this is the first time since I started to work seriously that I couldn't fix it, which is a personal failure to me. I would really appreciate it if somebody else knows what I did wrong. Also, I decided to just use LDAP as an authentication source, which was pretty successful. Now an additional question, does anyone know why I shouldn't? Why would LUM be better than LDAP. Please let me know!
Discussion