Archive for December, 2007

Cronjobs for users who exist only in the ldap database were not being run. The crond log file was showing entries like this:

Dec 27 13:42:01 server crond[2781]: (arthur) ORPHAN (no passwd entry)

To fix this, make sure that nscd is running (I didn’t have it started) and restart crond.

Posted by maryh on December 27, 2007 at 2:52 pm under Installation, Ldap, Server, Software.
Comments Off on LDAP & Cron.

I’m having some very strange problems with ldap and samba. Some users work fine in samba and others not at all. First, I found the /etc/pam.d/system-auth problem again, where the uid must be at least 500 for it to work. I changed that to 200 and it still doesn’t work.

I also found that each time you run authconfig-tui, /etc/pam.d/system-auth-ac gets rewritten and my 200 would go back to a 500. (system-auth is just a symlink to system-auth-ac.) I fixed this by creating system-auth-EDG and linking system-auth to that. The link does not change whenever authconfig is run, so the 200/500 uid problem looks to be solved.

But why am I running authconfig-tui so much? Because I am unable to start ldap on the server when “Use LDAP” is checked under the User Information and the Authentication sections. I uncheck them, then restart ldap successfully, then go back and recheck them. If things are checked, the ldap restart command just hangs, until I press Ctrl-C a few times. Then, it gives me errors like:

Session terminated, killing shell.......killed.
/etc/pki/tls/certs/slapd.pem is not readable by "ldap" [WARNING]
Checking configuration files for slapd: config file testing succeeded [OK]
Starting slapd:  [OK]

But it’s not really started. I have to undo the authconfig stuff, restart again (at which time it restarts in about a second) and then redo the authconfig stuff.

I’ve changed the ldap user to have a login shell and have logged in and read the slapd.pem file without a problem, so I don’t really know why it complains that it can’t be read. And since the ldap user is not in the ldap database, but it /etc/passwd, I don’t understand at all why this is a problem.

Posted by maryh on December 27, 2007 at 11:59 am under Installation, Ldap, Samba, Server, Software.
Comments Off on Ldap and Samba.

I was getting some strange errors in my maillog when an ldap user would try to call spamassassin on incoming mail. This was fixed by adding the “–ldap-config” option to the spamassassin startup script. The line in the file that I changed, no looks like this:

SPAMDOPTIONS="-d -c -m5 -H --ldap-config"

Posted by maryh on December 24, 2007 at 11:42 am under Ldap, Mail, Server.
Comments Off on LDAP and SpamAssassin.

I’m slowly moving all of our users out of /etc/passwd to the ldap directory. One problem that I found was that users’ personal websites weren’t coming up. For example, user arthur, can make a directory called public_html in their home area and it would be accessible at server.uchicago.edu/~arthur. But for accounts that are only in the ldap database, it was as if these accounts didn’t exist.

To get the accounts to show, add the following to /etc/httpd/conf/httpd.conf:

< IfModule mod_ldap_userdir.c >
	LDAPUserDirServer	server.uchicago.edu
	LDAPUserDirSearchScope	subtree
	LDAPUserDirBaseDN	ou=people,dc=server,dc=uchicago,dc=edu
	LDAPUserDir		public_html
< /IfModule >

Posted by maryh on December 21, 2007 at 5:56 pm under Installation, Ldap, Server, Software.
Comments Off on LDAP and Apache.

After upgrading to RHEL5 server, I had some problems where ldap would work for a while and then stop. Using this command:

ldapsearch -x -ZZ -d4

I found that it didn’t like my self-signed certificate. I have used these in the past for all sorts of things, but now, it was causing a problem. The solution was to edit the file /etc/openldap/slapd.conf and comment out the TLSCACertificateFile line.

UPDATE
I changed the group on the bundle-ca.crt file and put it back in the slapd.conf file. Things seem to work. I don’t know why this was a problem the other day.

Posted by maryh on December 20, 2007 at 12:16 pm under Ldap.
Comments Off on Ldap Fixes.

I thought I’d be smart and upgrade our server to the 64-bit version of RHEL5. Well, after upgrading I had many problems. A big one was this error:

[root@edg ~]# su - maryh
/bin/hostname: error while loading shared libraries: libc.so.6: wrong ELF class: ELFCLASS32

If I can’t run a simple hostname command, then there are probably lots of other issues. Thus, I’m reinstalling again with the 32-bit version.

Posted by maryh on December 19, 2007 at 7:46 pm under Installation, Server, Software.
Comments Off on Upgrading to RHEL5 Server.

Since roaming profiles is what’s causing our windows logins to take minutes instead of seconds, I want to make all profiles be local. To do this, run gpedit.msc.

Local Computer Policy
.Computer Configuration
..Administrative Templates
…System
….User Profiles
Check only allow local user profiles
Check Prevent Roaming Profile changes from Propagating to the server

Posted by maryh on December 18, 2007 at 3:36 pm under Installation, Server, Software.
Comments Off on To Disable Roaming Profiles.

In XP:
Tools -> Folder Options
Choose “Offline Files” tab
Uncheck “Enable offline files”

Posted by maryh on December 6, 2007 at 9:10 am under Software.
Comments Off on Turning Off File Synchronization for All Users.