| 2011-06-07 15:54:35 |
Oliver |
description |
Binary package hint: likewise-open
Let me start by explaining the system details and observed behavior. We are running ejabberd on Ubuntu 11.04 and have it interface with PAM - and thus pam_lsass from likewise-open - to authenticate domain users.
The system is fully up-to-date as of now.
Interestingly we got the PAM authentication to work for some users, but it "mysteriously" failed for others. It turned out, that those failing where failing with LW_ERROR_STRING_CONV_FAILED. Usually - but not always - accompanied by the note (in syslog) that group membership lookup failed. When sifting through our AD, I noticed that all entities that have diacritic characters in them (e.g. ó, á, ä, ö, ð, þ) would cause the failure. A test to verify my finding was to rename the security groups for some few accounts and replace the diacritic characters with their Latin default form. And indeed suddenly the affected accounts were able to log on.
The OUs - of which some also contain diacritic characters - don't seem to matter. However, the security groups and even the full name of the account owners did matter.
Sifting through a clone of the Likewise repo, I figured that the issue is likely conversion *from* UTF-16 to the MBCS of the process, though the same error is returned by the inverse operation as well. Since LANG defaults to "C" I figured that I had to pass the proper setting to the lsassd process. Proper being any UTF-8 locale, in my case I set LANG=en_US.UTF-8. This was done by modifying /usr/lib/likewise-open/init-base.sh (though /etc/init.d/lwsmd would have been an alternative), by adding:
LANG=en_US.UTF-8
export LANG
This completely resolved the issue.
I would like to propose that the package maintainer consider using /etc/default/lwsmd to provide a less intrusive means of fixing such behavior on Debian/Ubuntu in future.
Please let me know if anything is missing or unclear.
Best regards,
// Oliver
------
[2] root@jabber:~# lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
[2] root@jabber:~# apt-cache policy likewise-open
likewise-open:
Installed: 6.0.0.53010-4ubuntu5
Candidate: 6.0.0.53010-4ubuntu5
Version table:
*** 6.0.0.53010-4ubuntu5 0
500 http://is.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status |
Binary package hint: likewise-open
Let me start by explaining the system details and observed behavior. We are running ejabberd on Ubuntu 11.04 and have it interface with PAM - and thus pam_lsass from likewise-open - to authenticate domain users.
The system is fully up-to-date as of now.
Interestingly we got the PAM authentication to work for some users, but it "mysteriously" failed for others. It turned out, that those failing where failing with LW_ERROR_STRING_CONV_FAILED. Usually - but not always - accompanied by the note (in syslog) that group membership lookup failed. When sifting through our AD, I noticed that all entities that have diacritic characters in them (e.g. á, ó, ú, æ, ö, ð, þ) would cause the failure. A test to verify my finding was to rename the security groups for some few accounts and replace the diacritic characters with their Latin default form. And indeed suddenly the affected accounts were able to log on.
The OUs - of which some also contain diacritic characters - don't seem to matter. However, the security groups and even the full name of the account owners did matter.
Sifting through a clone of the Likewise repo, I figured that the issue is likely conversion *from* UTF-16 to the MBCS of the process, though the same error is returned by the inverse operation as well. Since LANG defaults to "C" I figured that I had to pass the proper setting to the lsassd process. Proper being any UTF-8 locale, in my case I set LANG=en_US.UTF-8. This was done by modifying /usr/lib/likewise-open/init-base.sh (though /etc/init.d/lwsmd would have been an alternative), by adding:
LANG=en_US.UTF-8
export LANG
This completely resolved the issue.
I would like to propose that the package maintainer consider using /etc/default/lwsmd to provide a less intrusive means of fixing such behavior on Debian/Ubuntu in future.
Please let me know if anything is missing or unclear.
Best regards,
// Oliver
------
[2] root@jabber:~# lsb_release -rd
Description: Ubuntu 11.04
Release: 11.04
[2] root@jabber:~# apt-cache policy likewise-open
likewise-open:
Installed: 6.0.0.53010-4ubuntu5
Candidate: 6.0.0.53010-4ubuntu5
Version table:
*** 6.0.0.53010-4ubuntu5 0
500 http://is.archive.ubuntu.com/ubuntu/ natty/main amd64 Packages
100 /var/lib/dpkg/status |
|