Date: Thu, 28 Jan 2010 23:04:07 +0100 From: =?utf-8?Q?Piotr_Buli=C5=84ski?= <bulinskp@iem.pw.edu.pl> To: freebsd-questions@freebsd.org Subject: Problem with sftp server, static linking, pam and nss_ldap. Message-ID: <CD27E95B-A0D6-46CA-A122-7F867630D5C4@iem.pw.edu.pl>
next in thread | raw e-mail | index | archive | help
--Apple-Mail-29-793722448
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=utf-8
Hello,
recently we moved our users database to LDAP server, but after that sftp =
stops working on our students server.=20
We use:
- OpenLDAP 2.4.21
- nss_ldap-1.265_3
- pam_ldap-1.8.5
- FreeBSD 9.0-CURRENT amd64
When I use sftp, it drops the connection:
{volt}-{~}% sftp localhost
Connecting to localhost...
Connection closed
{volt}-{~}%=20
After short investigation, I've found that problem is in =
/usr/libexec/sftp-server program (which is our default subsystem in =
sshd):
{volt}-{~}% /usr/libexec/sftp-server=20
No user found for uid 5567
{volt}-{~}%=20
what was quite weird, because sshd works perfectly with users from LDAP =
server (so I assume that PAM is configured correctly).
After that, I've tried to make a simple test with program below:
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
#include <sys/types.h>
#include <pwd.h>
#include <stdarg.h>
#include <stdio.h>
#include <unistd.h>
int
main(int argc, char **argv)
{
struct passwd *user_pw;
user_pw =3D getpwuid(getuid());
if ((user_pw =3D getpwuid(getuid())) =3D=3D NULL) {
fprintf(stderr, "No user found for uid %lu\n",
(u_long)getuid());
return 1;
} else {
fprintf(stderr, "It works %s!\nYour uid is: %lu\n",
user_pw->pw_name,
(u_long)getuid());
}
return 0;
}
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
which is almost copy-pasted from =
/usr/src/crypto/openssh/sftp-server-main.c
I've build it twice. Once with dynamic linking:
{volt}-{~}% cc -o test test.c =20
{volt}-{~}% ./test
It works bulinskp!
Your uid is: 5567
{volt}-{~}%=20
another one with static linking:
{volt}-{~}% cc -o test -static test.c
{volt}-{~}% ./test =20
No user found for uid 5567
{volt}-{~}%=20
As you can see, it works great with dynamic linking, but if it's build =
with static linking it can't get user information from LDAP database.
Could you be so kind and help me better understand this problem and find =
some solution for it (I spend some time trying to find it, but this is =
probably beyond my scope)?
I would be really appreciate for any tip.
Below are information about my PAM and NSS configuration:
{volt}-{~}% cat /etc/nsswitch.conf | grep passwd
passwd: files ldap
{volt}-{~}%=20
{volt}-{~}% cat /etc/pam.d/sshd | grep -v "^#" | grep -v "^$"
auth sufficient pam_opie.so no_warn =
no_fake_prompts
auth requisite pam_opieaccess.so no_warn =
allow_local
auth requisite /usr/local/lib/pam_af.so debug
auth sufficient /usr/local/lib/pam_ldap.so no_warn
auth required pam_unix.so no_warn =
try_first_pass
account required pam_nologin.so
account required pam_login_access.so
account required /usr/local/lib/pam_ldap.so no_warn =
ignore_authinfo_unavail ignore_unknown_user
account required pam_unix.so
session required pam_permit.so
session sufficient /usr/local/lib/pam_ldap.so no_warn =
try_first_pass=20
password required pam_unix.so no_warn =
try_first_pass
{volt}-{~}%=20
regards
--=20
Piotr Buli=C5=84ski
Informatyka na Wydziale Elektrycznym
Politechnika Warszawska
--Apple-Mail-29-793722448--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CD27E95B-A0D6-46CA-A122-7F867630D5C4>