The following sections provide information about troubleshooting Linux User Management:
Section 9.1.5, LUM-Enabling Using iManager Fails During Custom User Selection
Section 9.1.7, namcd Fails to Come Up When Anonymous Binds are Disabled on the LDAP Server
Section 9.1.8, Root Login to a LUM-enabled Service logs a Message in the /var/log/message File
Section 9.1.9, LUM Users and Groups Are Not Displayed in the Permissions Tab of the File Browser
Section 9.1.10, The ls-l Command Hangs if Large Number of Users Are LUM-Enabled
Section 9.1.11, Linux User Management Returns an Invalid UID and GID for Users and Groups
Section 9.1.13, namcd Indicates That a Certificate Is Not Found
Section 9.1.16, Password Expiration Information for the User Is Not Available
Section 9.1.21, SUSE Linux Enterprise Desktops Configured as UNIX Workstation Objects
Section 9.1.22, Special Characters in Container Name is Not Supported
LUM service configured with service proxy fails to come up after upgrading to OES 2018 or later. This is because the service proxy users are not migrated to OES Credential Store (OCS). To resolve this issue, perform the following:
Login as root user.
Run yast2 novell-lum and then enter eDirectory user password.
Specify the proxy user password.
Click Next and continue with LUM configuration.
Verify the LUM service is up and running by using the following command:
systemctl status namcd.service
Verify the service entry is present in OES Credential Store by using the following command:
oescredstore -l
While using the namconfig tool with the alternate-ldap-server-list parameter, you must ensure that the alternate LDAP server list does not contain any separator other than a comma. Ensure that the comma separator is not followed by a space because this could lead to spaces in the resulting der file when a namconfig -k is run.
If the eDirectory schema for a user and a group is already extended to include posix attributes (uidNumber, gidNumber, homeDirectory, loginShell), and if a user is manually LUM-enabled without using iManager or the namuseradd tool, then the user might not be displayed on a server using the getent passwd or the getent group command. This is because the LUM auxiliary classes posixAccount and posixGroup are not assigned to the user or group objects. To avoid this issue, you must ensure that you LUM-enable the user only using iManager or the namuseradd tool.
If you have multiple users with the same user id belonging to different workstations, the namdiagtool fails to report any user conflict.
For example, assume that you have LUM installed on two different servers but the same eDirectory tree. If you have lum-enabled users, user1 and user2 associated with workstation1 and workstation2 and both the users are assigned the same UID, then namdiagtool fails to report a user conflict.
While LUM-Enabling multiple users in a container, on the Confirm selected users page, if you deselect the User checkbox and then attempt to select specific users, then the selected users are not LUM-enabled.This issue is also observed while LUM-enabling through a group using iManager.
If LUM-enabled group or user is deleted through iManager, the reuse Group and user ID feature of LUM (UCO) will not work. To use this feature, you must ensure that you delete LUM-enabled user or group using the nam tools namuserdel and namgroupdel. For more information, see Section 7.2.8, namuserdel and Section 7.2.9, namgroupdel.
namcd does not come up after configuration and fails with the following error message:
ldap_initconn: LDAP bind failed to Preferred Server (error = [48]), trying to connect to alternative LDAP server.
This issue is observed because the ldap server for LUM that is configured in nam.conf does not allow anonymous binds. To resolve this issue, you must configure a proxy user for LUM. For more information, see Step 4.e.
Every instance of a root login to a LUM-enabled service logs the following message in /var/log/message file:
User [root] is reserved and not supported via NAM
This is an informational message and can be ignored.
Newly created LUM users and groups are not displayed immediately in the Permissions tab of the file browser. This is because namcd, the Linux User Management caching daemon, has persistent search disabled by default. If you add any user or group, the file browser does not display the newly added users or groups until the next cache refresh period, which is by default set to 8 hours.
To display the newly created LUM users and groups in the file browser, refresh the LUM cache by running the following command:
namconfig cache_refresh
NOTE:You can enable or disable persistent search by setting the persistent-search parameter in the /etc/nam.conf file.
If you LUM-enable a large number of users with home directories, namcd does not cache these users immediately. As a result, if you run the ls-l command in the directory containing these home directories, the results of the command might not be returned immediately. To resolve this issue, you must run namconfig cache_refresh to ensure that namcd caches the users.
Linux User Management returns an invalid UID and GID for user and groups because of an incorrect schema mapping in LDAP Group Object.
To resolve this problem:
Log in to iManager.
In Roles and Tasks, click LDAP > LDAP Options.
Click the Attribute Map tab.
Change the mapping of the uniqueID (eDirectory attribute) to uid (LDAP attribute).
Remove any mapping for LDAP attribute uidNumber and gidNumber.
Click Apply to save the changes.
Click OK to exit.
When Linux User Management is configured on a workstation, the base name is specified in the nam.conf file. If Linux User Management is reconfigured with a new partition root without removing the existing configuration, the namconfig command fails with an error indicating Specified partition root and Partition root in the NDS configuration files doesn't match.
To resolve this issue, delete nam.conf and rerun namconfig.
When you start Linux User Management, in some scenarios namcd displays an error indicating that a certificate is not found.
Linux User Management requires a server certificate to do SSL authentication to the LDAP server. A server certificate file for SSL authentication must be present in the /var/lib/novell-lum/.preferred_server-name.filetype directory where .preferred_server-name.filetype is the certificate file of the preferred server. If this file is deleted or is corrupt, import it by using namconfig -k.
In a name-mapped Domain Services for Windows (DSfW) tree, if the tree is already enabled for Linux User Management and the UNIX Config object is placed in a custom location other than the admin user context, YaST might not be able to find the UNIX
Config object. When this happens, it adds a new UNIX Config object under ou=novell, $domain, which causes duplication of UIDs and GIDs.
To avoid this, change the range of the UIDs and GIDs in one of the UNIX config objects in the tree.
If it takes more than 60 seconds to log in, the login utility times out. This is a limitation of Linux operating systems.
The pam_nam account management module should always be stacked only after the pam_nam authentication module. If it is stacked directly after any other module, the behavior of pam_nam might be unpredictable. You might not be able to extract the user's password and account expiration, or other authentication details.
If the ID command or the getent command is not displaying the desired result, one of the reasons might be that the entries are cached by nscd (name service caching daemon).
If you have changed the /etc/nsswitch.conf file, the /etc/passwd file, or the /etc/group file stop and restart nscd by using the following commands.
systemctl stop nscd.service
systemctl start nscd.service
If Linux User Management is configured against eDirectory in the same system, and the system is rebooted, namcd tries to bind to the LDAP server while the system is coming up. If the LDAP server (eDirectory) takes more than one minute to come up, namcd tries to contact the alternative LDAP servers, if any.
If replica servers do not exist or do not respond, namcd does not come up and must be restarted manually. This is also applicable for scenarios where eDirectory and namcd are started simultaneously or within a very short time.
The LDAP server startup status is logged into the ndsd.log file in the server’s var directory.
See the /var/lib/novell-lum/nam.log file for more details on the functioning of the corresponding components.
See the /var/log/YaST/y2log file for information on how namconfig is called by the installation program.
See the /var/log/messages file for runtime log information.
If you are installing OES into an existing NDS8 tree and the new OES server doesn't contain an eDirectory replica, you might get a Missing Mandatory Attribute error when enabling an existing user for Linux User Management existing user in iManager.
In most cases you can modify the user at the command line by using the nameusermod command. If the command line utility doesn't work, you need to add a replica to the server. For more information, see Adding a Replica in the NetIQ eDirectory Administration Guide.
Although computers running SUSE Linux Enterprise Desktop 12 can be configured as Workstation objects, their Linux User Management services might not appear when viewed in iManager. The services do not appear because the software infrastructure required for server management is not automatically installed as part of SUSE Linux Enterprise Desktop.
LUM service configuration fails if the container name contains special characters \, *, (, ),= and space.