Hi, all.
Trying to add a local user to a CentOS 6.3 system that is using ldap
for Samba authentication, but being stymied by the user's existing
entry in ldap.
[root@samba ~]# adduser wchandy
adduser: user 'wchandy' already exists
[root@samba ~]# useradd wchandy
useradd: user 'wchandy' already exists
User is not already a local user:
[root@edgar2 ~]# grep wchandy /etc/passwd
But they are a Samba user in ldap:
[root@edgar2 ~]# smbldap-usershow wchandy | grep uid
dn: uid=wchandy,ou=people,dc=ucsc,dc=edu
uid: wchandy
uidNumber: 30490
adduser does not have a local option. How does one get adduser to
add local users in the presence of ldap authentication.
Other things to consider:
- There are currently local users who share a uid with an ldap
entry (with a different uidNumber) who can access samba and ssh
independently. I want to be able to keep doing this, AND add
more users like this when needed.
- No, I don't want to edit the user directly into /etc/passwd
and /etc/group. I'd like to fix the underlying problem. Plus now
any new local entry interferes with the same user's access to
samba.
- No, I don't want to rely on ldap for local ssh login.
- No, I don't want to use a different uid for the user.
I originally set up my samba-ldap authentication with the handy (but
seemly irreversible) authconfig command:
[root@samba ~]# authconfig --enableshadow --enablemd5 --enableldap \
--enableldapauth --enableldaptls --enablemkhomedir \
--ldapserver=dir.mydomain.com --ldapbasedn="dc=mydomain,dc=com" \
--enablelocauthorize --updateall
My /etc/sysconfig/authconfig looks like this:
IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
PASSWDALGORITHM=sha512
FORCELEGACY=no
USEFPRINTD=yes
USEHESIOD=no
FORCESMARTCARD=no
USEDB=no
USELDAPAUTH=yes
IPAV2NONTP=no
USELDAP=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=no
USELOCAUTHORIZE=yes
USENIS=no
USEKERBEROS=no
USESYSNETAUTH=no
USESSSD=no
USEPASSWDQC=no
My samba config was migrated from an RHEL4.x system to CentOS 6.3.
Now instead of the kludgy mashup of nss and pam and who knows what,
I used the pretty slick and easy sssd.
My /etc/sssd/sssd.conf looks like this:
[domain/default]
cache_credentials = True
#cache_credentials = False
ldap_search_base = dc=mydomain,dc=com
krb5_realm = EXAMPLE.COM
krb5_server = kerberos.example.com
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
ldap_uri = ldap://dir.mydomain.com/
ldap_tls_cacertdir = /etc/openldap/cacerts
#ldap_tls_reqcert = allow
entry_cache_timeout = 5
debug_level = 31
[sssd]
config_file_version = 2
services = nss, pam
# SSSD will not start if you do not configure any domains.
# Add new domain configurations as [domain/<NAME>] sections, and
# then add the list of domains (in the order you want them to be
# queried) to the "domains" attribute below and uncomment it.
# domains = LDAP
domains = default
#debug_level = 31
[nss]
[pam]
debug_level = 31
As a workaround I came up with two non-optimal solutions. It at
least gave me a way of moving forward after I found myself in the
sticky situation where LDAP and the local passwd file are blocking
each other.
Workaround 1: I created a local user with a different UID (username)
to give ssh access to a person who already had an LDAP/Samba entry.
Possibly the cheeziest sysadmin solution I've done in years.
Workaround 2: A little more complicated but comes down to adding the
local user with the same uidNumber as in LDAP.
- Lookup LDAP uidNumber with getent, ldapsearch, or
smbldap-usershow
- Temporarily disable the user in LDAP in order to add the local
user without conflicts
- Create the local account matching the uidNumber with LDAP
- Re-enable the user in LDAP
Both of these work, but neither address the underlying issue of
allowing the authentication to use LDAP exclusively for Samba auth
and /etc/passwd for local auth. But in the absence of another
solution, this will have to do.
Thanks for the help. If I can get my local and samba-ldap
authentication working independently I'll be stoked.
Wes
--
Wes Modes
Systems Designer, Developer, and
Administrator
University Library ITS
University of California, Santa Cruz