-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathFAQ
107 lines (94 loc) · 5.81 KB
/
FAQ
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
$Id: FAQ,v 1.6 2004/03/04 03:24:49 cinergi Exp $
Q: What is NSS?
Q: What is PAM?
Q: Which one do I need? One? Both?
A: NSS stands for NameService Switch. NSS allows you to implement access to
various data using any number of modules. This means that when the
operating system wants to look up the user "cinergi", it doesn't have
to know how - it calls upon the NSS system to perform the task. In turn,
we can now configure NSS to look for users in traditional places like
/etc/passwd, NIS, LDAP, and now (using this module), MySQL. The NSS
API is the backend for traditional UNIX user lookup routines like
'getpwnam' - providing details such as username, uid, gid, gecos, shell,
homedirectory, password, etc. It does *NOT* provide for changing user
details. This is where PAM comes in handy.
PAM stands for Pluggable Authentication Modules. Like the name suggests,
PAM allows you to implement authentication (and data manipulation) using
any number of modules. Note that this differs from NSS in that it ONLY
provides authentication. It does not allow you to do such things as
"finger username", or create files owned by "username". Unlike NSS,
however, it can enable users to change their passwords using traditional
methods like the 'passwd' command.
The libnss_mysql library, like the name suggests, provides an NSS-based
solution. Whether you also need PAM depends upon whether you need
to enable users to change their password using traditional methods (you
could always script a passwd-like utility that performs MySQL commands).
PAM also allows more fine-grained setup than NSS does; you can specify
which programs use which authentication methods - IE your FTP daemon
could authenticate off a different database than SSH does. There are
a few other things it can do, too. Try 'man pam' for more information.
Most needs should be met using the NSS library. There are a few cases
where it may not be enough. There is one MySQL PAM module available
at the moment. I don't know if it can be made to work in conjunction
this library (I don't really see why not). I may be writing my own
module(s) in the future to address better integration as well as
the Solaris PAM problem (See the file README).
Q: Do I need to edit any PAM configuration files?
A: Not likely. See the above question.
Q: Can I get the system to automatically create a user's homedirectory?
A: Yes. There's a PAM module, pam_mkhomedir, that allows just this.
I know that on RedHat linux, you can simply add the following line to
your /etc/pam.d/system-auth file:
session optional /lib/security/pam_mkhomedir.so skel=/etc/skel umask=0022
Note that systems running ssh in privilege-separation mode (default
in RedHat 8) will *NOT* be able to create homedirectories when logging
in via ssh. You'll have to shut off priv-sep mode in /etc/ssh/sshd_config
and restart ssh. There's no other known workaround at this time. Other
programs that drop root privs before calling PAM/session (I've seen 'su'
do this) will have similar troubles.
Q: Are other databases (IE hosts, netgroup, automount, aliases, etc)
supported?
A: Not at this time. I plan to support these in the future, however.
Q: I have a lot of open MySQL processes - why?
A: libnss-mysql maintains a persistant connection - it's the only sane
way to implement this library without a separate daemon. If you've got
too many open processes, I recommend reducing the default (28800 seconds -
8 hours) timeout in MySQL to something like 60 seconds. You can do this by
editing/creating /etc/my.cnf and adding the following:
[mysqld]
set-variable=wait_timeout=60
Q: Why isn't it working?
A: See the file 'DEBUGGING' provided with the distribution.
Q: Why doesn't ProFTPD see my accounts in the database?
A: You must set 'PersistentPasswd' to 'Off' in your proftpd configuration.
You may also need to set your PAM config to use pam_unix.so.
Q: Why do I get the following message when I try to use 'passwd' on Solaris?
"Supported configurations for passwd management are as follows" ...
A: Sun chose to write their unix PAM module to only allow a very restrictive
configuration in /etc/nsswitch.conf. You must now specify '-r files' on
the 'passwd' command-line to manipulate the password file. For example:
passwd -r files username
I know this sucks, so figuring out a better workaround is on my TODO list.
Q: Why do I get the following message when compiling on Solaris?
Undefined first referenced
symbol in file
(some-symbol-here) /usr/local/lib/mysql/libmysqlclient.so
A: There are a number of reasons for this, but basically you either need to:
a) change the linker you're using
b) add a library to the link line
- To change the linker, simply set the environment variable 'LD' to the
full path to the linker you want to use before running 'configure.
Usually you'll need to download and install the GNU 'ld' from the GNU
binutils package.
- To use the same linker but add the missing library, locate your libgcc.a
file from your GCC installation, and set the environment variable
'LDFLAGS' to the following before running 'configure':
-L/directory/containing/libgcc.a -lgcc
Q: I'm getting segfaults on Solaris; truss indicates a crash shortly after
libz can't be found.
A: If you're using Solaris 8+, this shouldn't be a problem as libz is included
with the OS. On earlier versions, you've probably installed it into
/usr/local/lib or somewhere in /opt. You need to make sure this directory
is included in the linker search PRIOR to building libnss-mysql. If libz
is installed in /usr/local/lib, you'd need to do the following:
sh -c "LDFLAGS=-R/usr/local/lib ./configure"