[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP, Kerberos, Samba, PAM, How Do They Work Together?

Dear Nan,

I'll give it a go, my explanation will be simplified, as all software of
course is able to do a lot, I'll try to explain it's typical role.

OpenLDAP is a database management system. It communicates with database
clients in a standard (LDAP) way, and uses a (configurable) database
backend to store it's data.
One of the more popular database backends is Berkeley DB (BDB). It
usually stores it's data in files in /var/lib/ldap.

Kerberos is an authentication mechanism. It is ticket based. That means
that as soon as a client authenticates with Kerberos, it receives an
'authentication ticket'. It is then able to send this ticket to one or
more (thereby using single signon) services, such as Samba.

Samba is used for file sharing, printer sharing and Windows
authentication. It currently emulates a Windows NT4 domain controller.
It can use a LDAP server for it's user/groups backend.

PAM is the Linux 'Pluggable Authentication Mechanism'. This is
authentication system of Linux, that can use plugins for retrieving user
and group info. The 'standard' plugin is pam_unix, this uses the
familiar /etc/passwd,/etc/group and /etc/shadow files. Another plugin is
pam_ldap, which uses the LDAP configuration in /etc/ldap.conf for

Another thing that probably will be configured is nsswitch. This is the
'name service switch', that resolves user id's (0 for root,1000 and up
for other users) to user names. This is configured in
/etc/nsswitch.conf. (passwd,shadow,group will most likely be configured
as 'files ldap').

The standard base for LDAP client configuration is /etc/ldap.conf.

The most likely thing to be down, if I read your story, is the LDAP DB,
and more deeper, your Berkeley DB. 
Troubleshooting this has been a long time ago for me. The only thing
that comes into mind is trying to start slapd by hand (without the
init.d script) using a '-vvv' parameter for maximum verbosity. It will
then hopefully crash and tell you what is wrong in the end.


-----Oorspronkelijk bericht-----
Van: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] Namens Nan Meng
Verzonden: dinsdag 1 maart 2011 23:32
Aan: openldap-technical@openldap.org
Onderwerp: OpenLDAP, Kerberos, Samba, PAM, How Do They Work Together?

Dear list members,

I hope amateur questions could be tolerated. I would make it
professional if I could. I'm a newbie to OpenLDAP and probably even
Linux, but I have to take care of an office network (Linux servers with
Linux and PC workstations) that features email server, domain control,
file/printer sharing, user account management, web servers and so forth,
on my own without anyone's help.

Yesterday morning the power went down and so did our servers. After I
turned the servers back on, the account information system was no longer
working. Users weren't able to login with their credentials anymore,
even the root. What I did was I logged in the server (the Samba PDC,
LDAP server, Kerberos server, domain controller, email server) with
single mode, reseted the root password, and added accounts for other
individual users on the server. I know it was a bad idea. Although I got
some things working (emails, file/printer sharing), but there are still
other problems (PHP ldap_bind() from web servers fails, domain user
accounts and profiles fail to load correctly).

I know there is a centralized mechanism that handles user accounts with
the help of OpenLDAP, Kerberos, Samba, BerkeleyDB (and possibly other
things), but I don't have a clue of how they work together. I've been
trying to learn from docs and books for a long time before this power
issue, but not very successful.

My greatest problem is that I don't know how these things are working
together on my system. I believe I also lack some fundamental system
knowledge. I've been reading the docs available, but they're so abstract
to me and none of them seems to match our system configuration.

I'm hoping that I can get some help from here. Maybe some one can give
me some suggestions on how to troubleshoot in such a scenario as a
newbie, or an entry point that I can follow in order to explore the
system. I believe you can tell that I'm totally confused here without
being able to give much useful information about the problem and the
system. I'm sorry for my ignorance, but I really tried to deal with it
myself. If this thread turns out to be annoying or ridiculous, please
ignore, and I do apologize.

However, while I'm still struggling on the problem, if anyone could
help, I would really appreciate it. Thank you so much.