1

I try to configure NSCD to connect ldap users to my PC.

I like, that users could login offline in this PCs (online ldap users works fine).

Actually, i can use the user, but when i try to introduce the password, the PC is waiting and finally, it say that the password is incorrect.

I think, that the caching password is the problem because, the user accept very fast and if i clean the nscd cache the user is wrong.

This is my nscd.conf

    logfile                 /var/log/nscd.log
    server-user             nscd
    debug-level             0
    paranoia                no
    restart-interval        3600

    enable-cache            passwd          yes
    positive-time-to-live   passwd          3600
    negative-time-to-live   passwd          20
    suggested-size          passwd          211
    check-files             passwd          yes
    persistent              passwd          yes
    shared                  passwd          yes
    max-db-size             passwd          33554432
    auto-propagate          passwd          yes

    enable-cache            group           yes
    positive-time-to-live   group           3600
    negative-time-to-live   group           60
    suggested-size          group           211
    check-files             group           yes
    persistent              group           yes
    shared                  group           yes
    max-db-size             group           33554432
    auto-propagate          group           yes

    enable-cache            hosts           no

And my authconfig --test

    authconfig --test:

    caching is enabled
    nss_files is always enabled
    nss_compat is disabled
    nss_db is disabled
    nss_hesiod is disabled
    hesiod LHS = ""
    hesiod RHS = ""
    nss_ldap is enabled
    LDAP+TLS is disabled
    LDAP server = "ldap://xxxxxxxxxxxxxxxx"
    LDAP base DN = "dc=xxxxxxxxxxxxxxx,dc=xxx"
    nss_nis is disabled
    NIS server = ""
    NIS domain = ""
    nss_nisplus is disabled
    nss_winbind is disabled
    SMB workgroup = "MYGROUP"
    SMB servers = ""
    SMB security = "user"
    SMB realm = ""
    Winbind template shell = "/bin/false"
    SMB idmap uid = "16777216-33554431"
    SMB idmap gid = "16777216-33554431"
    nss_sss is disabled by default
    nss_wins is disabled
    pam_unix is always enabled
    shadow passwords are enabled
    password hashing algorithm is md5
    pam_krb5 is disabled
    krb5 realm = "EXAMPLE.COM"
    krb5 realm via dns is disabled
    krb5 kdc = "kerberos.example.com:88"
    krb5 kdc via dns is disabled
    krb5 admin server = "kerberos.example.com:749"
    pam_ldap is enabled

     LDAP+TLS is disabled
     LDAP server = "ldap://xxxxxxxxxxxxxxxxxx"
     LDAP base DN = "dc=xxxxxxxxxxxxxxxxxxxx,dc=xxxxx"
    pam_pkcs11 is disabled

     use only smartcard for login is disabled
     smartcard module = "coolkey"
     smartcard removal action = "Ignorar"
    pam_smb_auth is disabled
     SMB workgroup = "MYGROUP"
     SMB servers = ""
    pam_winbind is disabled
     SMB workgroup = "MYGROUP"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
    pam_sss is disabled by default
    pam_cracklib is enabled (try_first_pass retry=3)
    pam_passwdqc is disabled ()
    pam_access is disabled ()
    pam_mkhomedir is disabled ()
    Always authorize local users is disabled ()
    Authenticate system accounts against network services is disabled

If anyone have any idea, please, answer me!

PD: Sorry, my english is bad!

madrikeka
  • 23
  • 7

2 Answers2

1

nscd isn't designed to cache passwords. Check out sssd or pam_ccreds

ptman
  • 28,394
  • 2
  • 30
  • 45
0

If I were you, I need to create some additional local "admin" users with the same name as ldap "admin" users.

Because in case the ldap/winbind service is not available, or some special scenarios like maintainance mode, its very risky, Im could be in a huge problem with ldap/winbind authen

Shâu Shắc
  • 356
  • 2
  • 4